variables sometimes quoted or not-unquoted in echos or select/update statements?

[mac007]

Hi, all... have a basic question here as a newbie that I am...

 

Many times, in some scripts I see (I think, if not mistaken), places where within a echo sentence I see variables echoed like this with no quotes:

 

echo "First Name: $firstName and Last Name: $lastName"; 

as opposed to like one would expect:

echo "First Name: " . $firstName . " and Last Name: " . $lastName"; 

 

Sometimes I see that also when variables are used in select/update statements I think.. like this:

$query = mysql_query("SELECT FROM table WHERE column = $columnname");

Instead of like this within quotes:

$query = mysql_query("SELECT FROM table WHERE column = '$columnname'");

 

 

Is it because some of these values may be numbers (numeric) as opposed to "strings"??

Not sure if I make sense... appreciate teh feedback,

Thanks!

[Zurev]

While it's best practice when selecting information from a database to have the column enclosed in single quotes, and I believe table names in tildes, it works without them, so I think it's a shortcut, however don't take my word on that.

 

As for your echo statements, they would work just fine without any of that concatenation since double quotes allow variables to be parsed, so:

 
echo "First Name: " . $firstName . " and Last Name: " .$lastName";

is the same as:

echo "First Name: $firstName and Last Name: $lastName";

[trq]

While it's best practice when selecting information from a database to have the column enclosed in single quotes, and I believe table names in tildes, it works without them

 

I'm not sure where you got that from. Strings literals in sql must be surrounded by quotes.

[mac007]

thanks Zurev/Thorpe...

thanks for clearing up the double-quoting on the echo statements, I didnt know that and hadnt realized it was because string being echoed was enclosed in double-quotes. That solves that mystery for me. On the sql, I thought I had seen that somewhere... maybe was looking at wrong thing...

 

I wander why i dont see the double quoting of strings when echoing them, since it seems woudl make life a hell of a lot easier no having to concactenate and doing all that quoting back and forth to echo the variables... could it be a security issue? not having them quoted?

[trq]

I wander why i dont see the double quoting of strings when echoing them, since it seems woudl make life a hell of a lot easier no having to concactenate and doing all that quoting back and forth to echo the variables... could it be a security issue? not having them quoted?

 

Can we see an example of what you mean?

[MMDE]

I wander why i dont see the double quoting of strings when echoing them, since it seems woudl make life a hell of a lot easier no having to concactenate and doing all that quoting back and forth to echo the variables... could it be a security issue? not having them quoted?

 

Can we see an example of what you mean?

Let's say we're doing an update query, you expect an input to be a number and it is the name of one of the columns... of course, a number rarely does much damage, but it can be used to set stuff that isn't supposed to be that way. Of course, you should always make sure the input is what you expect.

[trq]

Pardon?

[MMDE]

Sure correct me if I'm wrong:

$money='id';
$id=5000;
mysql_query('UPDATE table SET money='.$money.' WHERE id = '.$id);

Wouldn't this person be able to get 5000 "money" now?

[mac007]

Sorry, what meant to say was:

 

I wander why i dont see the double quoting of strings DONE MORE OFTEN PROGRAMMING-WISE when echoing strings, since it seems woudl make life a hell of a lot easier no having to concactenate and doing all that quoting back and forth to echo the variables... could it be a security issue? not having them quoted?

[trq]

Sure correct me if I'm wrong:

$money='id'
$id=5000;
mysql_query('UPDATE table SET money='.$money.' WHERE id = '.$id);

Wouldn't this person be able to get 5000 "money" now?

 

No. That would attempt to set the money field to the string 'id'. Which should fail, given that the money field should likely be a numeric type.

[trq]

Sorry, what meant to say was:

 

I wander why i dont see the double quoting of strings DONE MORE OFTEN PROGRAMMING-WISE when echoing strings, since it seems woudl make life a hell of a lot easier no having to concactenate and doing all that quoting back and forth to echo the variables... could it be a security issue? not having them quoted?

 

Strings cannot exist without quotes. You need to post an example of what your talking about.

[MMDE]

no, it wouldn't handle it as a string you see...

$money='id';
$id=5000;
mysql_query('UPDATE table SET money='.$money.' WHERE id = '.$id);

 

This way it would have done that:

$money='id';
$id=5000;
mysql_query('UPDATE table SET money=\''.$money.'\' WHERE id = '.$id);

but I didn't make it a string for query, because it would be a number...

 

 

I'm not 100% sure if what I wrote above is the case. I'm kind of wondering if it is, as it would make sense to me if it is...

 

I will test and see!

[mac007]

I mean, as in my original question regarding NOT having to use single-quotes to echo variables if the string is enclosed within double quotes... like so:

echo "First Name: $firstName and Last Name: $lastName";

 

was simply wandering why I dont see echoing being done this way more commonly, especially when sometimes one has to echo bunch of variables within a string and having to concactenate darn variables like crazy. Seems like it's so much easier this way...

[MMDE]

I mean, as in my original question regarding NOT having to use single-quotes to echo variables if the string is enclosed within double quotes... like so:

echo "First Name: $firstName and Last Name: $lastName";

 

was simply wandering why I dont see echoing being done this way more commonly, especially when sometimes one has to echo bunch of variables within a string and having to concactenate darn variables like crazy. Seems like it's so much easier this way...

I would say the opposite, using magic quotes (double) isn't really that smart coding from what I've heard, it is easy though. I use single if it is a string.

[trq]

I mean, as in my original question regarding NOT having to use single-quotes to echo variables if the string is enclosed within double quotes... like so:

echo "First Name: $firstName and Last Name: $lastName";

 

was simply wandering why I dont see echoing being done this way more commonly, especially when sometimes one has to echo bunch of variables within a string and having to concactenate darn variables like crazy. Seems like it's so much easier this way...

 

It is fairly common practice to use double quotes strings when you are going to interpolated variables into the string. Hence, its a very common way of writting sql queries.

 

no, it wouldn't handle it as a string you see...

$money='id';
$id=5000;
mysql_query('UPDATE table SET money='.$money.' WHERE id = '.$id);

 

This way it would have done that:

$money='id';
$id=5000;
mysql_query('UPDATE table SET money=\''.$money.'\' WHERE id = '.$id);

but I didn't make it a string for query, because it would be a number...

 

 

I'm not 100% sure if what I wrote above is the case. I'm kind of wondering if it is, as it would make sense to me if it is...

 

I will test and see!

 

Yeah, I missed that actually. Still, all this would do is cause a syntax error considering that that chars id are not numeric.

[MMDE]

It is as I said, I tested it... and it worked!

It gave me 5000 money. It will use the mysql "variable"/column name id's value to set the money value. And the id value is known from the WHERE id = 5000.

[trq]

Sorry, yeah, I see what you where getting at now. It set the money field to the value stored within the id field. Makes perfect sense.

 

Obviously this is a good example of the trouble poorly written queries can cause.

[Zurev]

While it's best practice when selecting information from a database to have the column enclosed in single quotes, and I believe table names in tildes, it works without them

 

I'm not sure where you got that from. Strings literals in sql must be surrounded by quotes.

 

I ran a query without quotes and it ran, inserted them for me.

[MMDE]

While it's best practice when selecting information from a database to have the column enclosed in single quotes, and I believe table names in tildes, it works without them

 

I'm not sure where you got that from. Strings literals in sql must be surrounded by quotes.

 

I ran a query without quotes and it ran, inserted them for me.

String values needs string quotes!

In my example, it shows what can happen if you don't check the input data and doesn't use quotes on numbers. There's no must on using string quotes on columns or numbers. Just like in PHP. Magic quotes are for lazy people.