SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Member
    Join Date
    Jul 2004
    Location
    Uk
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Whats safer? Single or double quotes in query

    Ok this might sound like a total newbie question, but I just want to clarify something that has been bugging me for a little while now.

    I normally use single quotes in my code (Unless in use html content in my code) as this is slightly faster than double quotes (or so I have been lead to believe).

    Now my question is this: which is safe to use:

    $sql = sprintf( 'INSERT INTO %s ( ip, time ) VALUES ( %s, %u )', $this->table, $this->db->quoteString( $ip ), time() );

    or

    $sql = sprintf( "INSERT INTO %s ( ip, time ) VALUES ( %s, %u )", $this->table, $this->db->quoteString( $ip ), time() );

    Or is the arguement a non starter as both are just as safe?

    Your thoughts?

    John

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    There's no difference as far as I can tell.
    Saul

  3. #3
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Catzwolf View Post
    Ok this might sound like a total newbie question, but I just want to clarify something that has been bugging me for a little while now.

    I normally use single quotes in my code (Unless in use html content in my code) as this is slightly faster than double quotes (or so I have been lead to believe).

    Now my question is this: which is safe to use:

    $sql = sprintf( 'INSERT INTO %s ( ip, time ) VALUES ( %s, %u )', $this->table, $this->db->quoteString( $ip ), time() );

    or

    $sql = sprintf( "INSERT INTO %s ( ip, time ) VALUES ( %s, %u )", $this->table, $this->db->quoteString( $ip ), time() );

    Or is the arguement a non starter as both are just as safe?

    Your thoughts?

    John
    I believe that "" take longer to process. my reasoning behind this is you can use a Variable or other "Processed" text inside of double quotes that don't work inside single quotes.

    As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.

  4. #4
    SitePoint Member
    Join Date
    Jul 2004
    Location
    Uk
    Posts
    5
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks, you have just confirmed what I thought already.

    @tbakerisageek

    The quoteString() function checks for 'string' and applies addslashes && mysql_real_escape_string to it

    Cheers

  5. #5
    An average geek earl-grey's Avatar
    Join Date
    Mar 2005
    Location
    Ukraine
    Posts
    1,403
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Only single quotes can be used for strings in ANSI SQL. So if you want to write portable SQL code, use them.

    Quote Originally Posted by tbakerisageek View Post
    As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.
    Yes, you will have to escape values, but use mysql_real_escape_string() instead of addslashes().

  6. #6
    SitePoint Guru
    Join Date
    Jul 2005
    Location
    Orlando
    Posts
    634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Single quotes are indeed faster than double quotes. If you don't need variable expansion than it is a best practice to use single strings. But, for most applications you won't be able to tell the difference.

    However, double quotes are much faster than string concatenation.

  7. #7
    An average geek earl-grey's Avatar
    Join Date
    Mar 2005
    Location
    Ukraine
    Posts
    1,403
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Looks like I've misunderstood your question.

    Use double quotes when string is not a literal constant and concatenation would look too complex.

  8. #8
    SitePoint Wizard silver trophy kyberfabrikken's Avatar
    Join Date
    Jun 2004
    Location
    Copenhagen, Denmark
    Posts
    6,157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Programmers have a tendency to make a huge issue out of performance issues, even if they are completely irrelevant. You may save a few clockcycles by using single quotes, rather than double, but compared to the millions of clockcycles involved in querying the database, it just doesn't matter.

    Compared to other similar languages, PHP is very efficient at string-manipulation. Unless you have logic, that involves loops with thousands of entries, you don't have to bother about whether you're using single or double quotes, or string concatenation.

    Regarding your actual question, they are equally "safe" to use as such. However, when using double quotes, it may be harder to see what the final string will be at runtime. If for example, your query string contained backslashes or dollar sign ($) or any other character, considered "special" by PHP, you may end up with unexpected results. So in a way, you could say that single quotes are safer than double quotes, because they are easier to comprehend for the programmer.

    Quote Originally Posted by tbakerisageek View Post
    As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.
    I expect that is what quoteString does?

  9. #9
    SitePoint Evangelist superuser2's Avatar
    Join Date
    Aug 2006
    Posts
    598
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And just so you know, text inside single quotes is taken at face value:

    PHP Code:
    $var '1';
    $singquotes '$var'//Would output to, litlerally $var, not $var's value
    $doubquotes "$var"//Would output $var's value. 


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •