可能重复: MySQL - 何时使用单引号,双引号和反引号?
问题1
为什么这个工作?
"SELECT `id` FROM `table` WHERE x= '".$y."'"但不是吗?
"SELECT `id` FROM `table` WHERE 'x' = '".$y."'" ^ ^ Notice the extra single quotes问题2对id进行id更好(带有奇怪的引号)? 或者是因为双引号使它被解释为变量?
Possible Duplicate: MySQL - when to use single quotes, double quotes, and backticks?
Question 1
Why does this work?
"SELECT `id` FROM `table` WHERE x= '".$y."'"but not this?
"SELECT `id` FROM `table` WHERE 'x' = '".$y."'" ^ ^ Notice the extra single quotesQuestion 2 Is it better to do id over `id` (with the weird quotes)? Or is it because that double quotes make it interpret as a variable?
最满意答案
因为服务器将x作为值读取,因为它是用single quote包装的。 backtick转义查询中使用的保留关键字,通常用于包装columnNames和tableNames 。
在您的查询中,
SELECT `id` FROM `table` WHERE 'x' = '$y'x 没有列而是字符串值。
对于问题2,你可以消除id周围的反引号,因为它不是Reserved Keyword ,这里是MySQL中保留关键字的完整列表
MySQL保留关键字作为旁注,查询易受SQL Injection攻击。 请查看下面的文章,了解如何防止它。 通过使用PreparedStatements,您可以摆脱使用值周围的单引号。
如何在PHP中防止SQL注入 ?because the server reads x as a value as it is wrap with single quote. backtick escapes a reserved keyword used within the query, usually it is used to wrap around columnNames and tableNames.
in your query,
SELECT `id` FROM `table` WHERE 'x' = '$y'x there is not a column but a string value.
for question 2, you can eliminate those backticks around id since it is not a Reserved Keyword, here is a full list of reserved keywords in MySQL
MySQL Reserved KeywordAs a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?更多推荐
发布评论