Possible Duplicate:
MySQL - when to use single quotes, double quotes, and backticks?可能重复:MySQL -什么时候使用单引号、双引号和反引号?
Question 1
问题1
Why does this work?
为什么这个工作吗?
"SELECT `id` FROM `table` WHERE x= '".$y."'"
but not this?
但不是这个吗?
"SELECT `id` FROM `table` WHERE 'x' = '".$y."'"
^ ^
Notice the extra single quotes
Question 2 Is it better to do id over `id` (with the weird quotes)? Or is it because that double quotes make it interpret as a variable?
问题2 id比id更好吗?还是因为双引号把它解释为变量?
1 个解决方案
#1
6
because the server reads x as a value as it is wrap with single quote. backtick escapes a reserved keyword used within the query, usually it is used to wrap around columnNames and tableNames.
因为服务器读取x作为一个值,因为它是用单引号包装的。反勾转义查询中使用的保留关键字,通常用于包装列名和表名。
in your query,
在你的查询,
SELECT `id` FROM `table` WHERE 'x' = '$y'
x there is not a column but a string value.
没有列,只有字符串值。
for question 2, you can eliminate those backticks around id since it is not a Reserved Keyword, here is a full list of reserved keywords in MySQL
对于问题2,由于id不是一个保留的关键字,所以可以消除id周围的回勾,下面是MySQL中保留的关键字的完整列表
- MySQL Reserved Keyword
- MySQL保留关键字
As a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
作为旁注,查询容易受到SQL注入的影响。请看下面的文章,学习如何预防。通过使用preparedstatement,可以避免在值周围使用单引号。
- How to prevent SQL injection in PHP?
- 如何防止PHP中的SQL注入?
#1
6
because the server reads x as a value as it is wrap with single quote. backtick escapes a reserved keyword used within the query, usually it is used to wrap around columnNames and tableNames.
因为服务器读取x作为一个值,因为它是用单引号包装的。反勾转义查询中使用的保留关键字,通常用于包装列名和表名。
in your query,
在你的查询,
SELECT `id` FROM `table` WHERE 'x' = '$y'
x there is not a column but a string value.
没有列,只有字符串值。
for question 2, you can eliminate those backticks around id since it is not a Reserved Keyword, here is a full list of reserved keywords in MySQL
对于问题2,由于id不是一个保留的关键字,所以可以消除id周围的回勾,下面是MySQL中保留的关键字的完整列表
- MySQL Reserved Keyword
- MySQL保留关键字
As a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
作为旁注,查询容易受到SQL注入的影响。请看下面的文章,学习如何预防。通过使用preparedstatement,可以避免在值周围使用单引号。
- How to prevent SQL injection in PHP?
- 如何防止PHP中的SQL注入?