Coding of parameter-value for SELECT in PHP-MySQL

Question

alt A below is a statement from a php-mysql tutorial. It works as it should.
I found the id-value rather obfuscated and tested alt B. This also worked!
What is the point with the id-value of alt A?
MySQL 5.0.51, PHP 5.2.6
// alt A :
$sql="SELECT * FROM exempel WHERE id = '".$q."'";
// alt B :
$sql="SELECT * FROM exempel WHERE id = $q";

Answer 1

in 'alt B', $q must be an int or float or other numeric

in 'alt A', $q can be anything a string, int, etc.

The single quote makes that possible. It's just hard to see sometimes if you are looking at it for the first time.

Answer 2

This are just two different approaches to building a string from static and variable data.

Alternative A uses concatenation, or the joining of string and variable tokens using the concatenation operator.

Alternative B uses variable expansion, wherein the variables inside a double-quote-delimited string are expanded to their values at evaluation time.

Neither is necessarily better or preferred, but if you have to have single-quote-delimited strings, for example, then you would need to use alternative A.

Of course, neither of these is preferable to building SQL queries with bound parameters, as not doing so leaves you vulnerable to SQL injection attacks.

Answer 3

Theres two reasons to use the example in 'Alt A'. First is if the string is enclosed in single quotes '', the variable's name will be used in the string instead of it's value.

$id = 7;
'SELECT * FROM table WHERE id = $id' //works out to: WHERE id = $id
"SELECT * FROM table WHERE id = $id" //works out to: WHERE id = 7

Secondly, it's useful to combine strings with the results of a function call.

"SELECT * FROM table WHERE id = '".getPrimaryId()."'"

Answer 4

Outside of what has already been said I've found it best practice, if I'm writing a query, to write it as so:

$sql = "SELECT * FROM table WHERE uid=" . $uid . " LIMIT 1";

The reason for writing SQL like this is that 1. MySQL query doesn't have to parse the PHP variables in the Query and 2 you now easily read and manage the query.

Answer 5

When PHP communicates with MySQL, it is actually (in essence) two languages communicating with each other. This means that a string will be processed by the first language before being sent to the other. It also means that it is important to think in terms of the receiving language

In this case:

$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = $q";<br/>

you are telling MySQL to
"SELECT * FROM example1 WHERE id = some_name.

In this case:

$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '$q'";<br/>

and this case:

$q = 'some_name';<br/>
$query = "SELECT * FROM exempel WHERE id = '".$q."'";<br/>

you are telling MySQL to
"SELECT * FROM example1 WHERE id = 'some_name'.

The first example should cause an error as some_name is not a valid part of a MySQL query (in that context). On the other hand, the next two will work fine, because MySQL will look for the String "some_name".

Answer 6

You can also do this:

$sql="SELECT * FROM exempel WHERE id = {$q}";

which is useful for setting off things like:

$sql="SELECT * FROM exempel WHERE id = {$row[id]}";