phpBB Academy at StarTrekGuide

*Michael* · by **Michaelo** » 12 Feb 2007, 21:40

I have always had problems with whether to use ' or " as the post data could contain a hack... Now I know the code checks the post data and removes potential problems but I don't know how it is done (not having looked at the code and not fully sure I would understand it) so can you give me a rule of thumb regarding ' and " in code?
Mike...

Advertise on StarTrekGuide/phpBB Academy

*Francis* · by **Handyman** » 12 Feb 2007, 23:49

Sure.
Always? no wait? Never Wink

When using the quotes, always use a single quote '. (except for doing html tag attributes)
you'll want to use double quotes " for parsing php and anytime there is a single quote needed inside a string such as the example above.

Here are a few examples
For language files, always use single quotes unless there is an apostrophe in the string

Spoiler:

In sql queries, you always want to start out using single quotes and use them for as long as possible? double quotes can be used to run php (single quotes can't do this)

Spoiler:

see how after the USERS_TABLE we switch to double quotes so we can run the $user_id?
if we use single quotes in that area, we would need to break out of the single quotes otherwise it shows up as "$user_id" instead of "2" like it's supposed to.

So basically, use single quotes whenever possible, but double quotes can be used if you have an apostrophe or if there is php involved.
If you have an array, you have to put brackets around the php variable otherwise it will have a fit inside of double quotes

Example (good code)

Code: Select all: $sql = 'SELECT * FROM ' . USERS_TABLE . " WHERE user_id = {$user->data['user_id']}";

I hope that sheds some light on the situation Think

*David* · by **Highway of Life** » 13 Feb 2007, 00:00

It's basically the same as normal PHP, not much changed... generally you would use ' instead of " except for when you need to use it... such as:

Code: Select all: $var = 'this isn\'t good'; $var = 'this isn?t really that great either... but it is an option'; $var = "but this okay when using ' inside the string"; // for returns (i.e. newlines) you want to use double quotes... $var = "this will retur\nna newline"; $var = "this will also\rreturn a newline"; $var = 'this will NOT\nreturn a newline, it will parse as is'; // you can also put variables inside double quotes... // This will work... $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE user_id = $user_id"; // This will also work... $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE user_id = {$user->data['user_id']}"; // The brackets tell it there is a string inside, so those are needed in that case. // The double quotations allow the variables to be used as variables, and the content of the variable will be used. // This will NOT work... $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE user_id = $user_id'; // This will also not work... $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE user_id = {$user->data['user_id']}'; // both will try and find '$user_id' instead of the contents of the variable. // If you need to specify a string in a database query, then this should be used: $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE username = '" . $username . "'"; // you can also use... $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE username = '{$username}'"; // I *think*... handyman knows for sure on this one.

*Francis* · by **Handyman** » 13 Feb 2007, 00:09

One last thing? BTW, thanks for that Highway, that was a much cleaner explanation than mine? and your last one was correct.

When dealing with database, integers don't need quotes of any kind to work properly? so you can use

Code: Select all: "user_id = $user_id"; // if there are characters involved, you will need to do this instead "username = '$username'";

*David* · by **Highway of Life** » 13 Feb 2007, 00:12

Topic split... moved to beginner courses

*Michael* · by **Michaelo** » 13 Feb 2007, 01:17

I can't thing of a case in C/C++ where I would use ' in place of ", if it's a string it is always "..." and that use to confuses me, but not any more Wink

I guess the bottom line is as Highway says above (generally you would use ' instead of " except for when you need to use it.)

Just one other question... There are occasions when you should never use " aren't there?

*Janusz* · by **LEW21** » 13 Feb 2007, 01:47

You can (and I think that you should) always use '.
Using '... \' ...' is 100 times faster than "... ' ...", because parser doesn't have to check all letters if they can be parsed. In phpBB language files you should always use ? instead of \'.

Instead of this:

Code: Select all: $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE user_id = $user_id";

You should use:

Code: Select all: $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE user_id = ' . $user_id;

It's faster. But if there is something more after $user_id (for example AND post_id = $post_id), you can use double quotes (but I think that using single quotes is still faster).

Examples of good queries:

Code: Select all: $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE user_id = ' . $user_id; $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE user_id = ' . $user_id . ' AND post_id = ' . $post_id; $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE user_id = $user_id AND post_id = $post_id"; $sql = 'SELECT * FROM ' . DATABASE_TABLE . ' WHERE username = "' . $username . '"'; $sql = 'SELECT * FROM ' . DATABASE_TABLE . " WHERE username = '$username'";

*Michael* · by **Michaelo** » 13 Feb 2007, 02:36

This is going to sound real strange but on my keyboard has ' and I don't see ? (apostrophe)... how do I type ? ? This wont work ’

*Francis* · by **Handyman** » 13 Feb 2007, 02:40

it's (shift + option + ] ) ? if that doesn't work, instead of option, try control and alt depending on what kind of computer your are using.
The above works for me? I'm using a Mac Grin

*Michael* · by **Michaelo** » 13 Feb 2007, 03:17

Noting works... nothing... oh! except 'Word' in fact word replaces my ' with ? by default but I don't fancy opening word every time I need an ?
If I had the money I'd get a Mac... but I am upgrading to AMD 5200 and nice MB...

A couple of interesting things... In Firefox if you switch to Unicode (UTF-8) or Western (8859-15) the Apostrophe is displayed as a ? (question mark)(character encoding)... That might explain why, in another post people reported seeing Don?t as Don?t... actually that's why I changed it... Bang Head

So now I have to deal with not being able to type an ? (Apostrophe) but seeing it as well... I knew there would be days like this Blink

phpBB Academy at StarTrekGuide

When to, and when not to use quotations in PHP

When to, and when not to use quotations in PHP

Re: Quick Posting 1.1.1

Re: Quick Posting 1.1.1

Re: Quick Posting 1.1.1

Re: When to, and when not to use quotations in PHP

Re: When to, and when not to use quotations in PHP

Re: When to, and when not to use quotations in PHP

Re: When to, and when not to use quotations in PHP

Re: When to, and when not to use quotations in PHP

Re: When to, and when not to use quotations in PHP

Who is online