Whats safer? Single or double quotes in query

**Catzwolf** · Dec 23, 2006 04:36

Ok this might sound like a total newbie question, but I just want to clarify something that has been bugging me for a little while now.

I normally use single quotes in my code (Unless in use html content in my code) as this is slightly faster than double quotes (or so I have been lead to believe).

Now my question is this: which is safe to use:

$sql = sprintf( 'INSERT INTO %s ( ip, time ) VALUES ( %s, %u )', $this->table, $this->db->quoteString( $ip ), time() );

or

$sql = sprintf( "INSERT INTO %s ( ip, time ) VALUES ( %s, %u )", $this->table, $this->db->quoteString( $ip ), time() );

Or is the arguement a non starter as both are just as safe?

Your thoughts?

John

**php_daemon** · Dec 23, 2006 06:38

There's no difference as far as I can tell.

**tbakerisageek** · Dec 23, 2006 06:49

Originally Posted by Catzwolf

Ok this might sound like a total newbie question, but I just want to clarify something that has been bugging me for a little while now.

I normally use single quotes in my code (Unless in use html content in my code) as this is slightly faster than double quotes (or so I have been lead to believe).

Now my question is this: which is safe to use:

$sql = sprintf( 'INSERT INTO %s ( ip, time ) VALUES ( %s, %u )', $this->table, $this->db->quoteString( $ip ), time() );

or

$sql = sprintf( "INSERT INTO %s ( ip, time ) VALUES ( %s, %u )", $this->table, $this->db->quoteString( $ip ), time() );

Or is the arguement a non starter as both are just as safe?

Your thoughts?

John

I believe that "" take longer to process. my reasoning behind this is you can use a Variable or other "Processed" text inside of double quotes that don't work inside single quotes.

As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.

**Catzwolf** · Dec 23, 2006 07:14

Thanks, you have just confirmed what I thought already.

@tbakerisageek

The quoteString() function checks for 'string' and applies addslashes && mysql_real_escape_string to it

Cheers

**earl-grey** · Dec 23, 2006 07:52

Only single quotes can be used for strings in ANSI SQL. So if you want to write portable SQL code, use them.

Originally Posted by tbakerisageek

As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.

Yes, you will have to escape values, but use mysql_real_escape_string() instead of addslashes().

**UFTimmy** · Dec 23, 2006 08:44

Single quotes are indeed faster than double quotes. If you don't need variable expansion than it is a best practice to use single strings. But, for most applications you won't be able to tell the difference.

However, double quotes are much faster than string concatenation.

**earl-grey** · Dec 23, 2006 09:14

Looks like I've misunderstood your question.

Use double quotes when string is not a literal constant and concatenation would look too complex.

**kyberfabrikken** · Dec 23, 2006 09:25

Programmers have a tendency to make a huge issue out of performance issues, even if they are completely irrelevant. You may save a few clockcycles by using single quotes, rather than double, but compared to the millions of clockcycles involved in querying the database, it just doesn't matter.

Compared to other similar languages, PHP is very efficient at string-manipulation. Unless you have logic, that involves loops with thousands of entries, you don't have to bother about whether you're using single or double quotes, or string concatenation.

Regarding your actual question, they are equally "safe" to use as such. However, when using double quotes, it may be harder to see what the final string will be at runtime. If for example, your query string contained backslashes or dollar sign ($) or any other character, considered "special" by PHP, you may end up with unexpected results. So in a way, you could say that single quotes are safer than double quotes, because they are easier to comprehend for the programmer.

Originally Posted by tbakerisageek

As far as security goes, you will want to make sure that if you are entering anything into a database that comes from direct user input use the addslashes() function on it before letting MySQL get it.

I expect that is what quoteString does?

**superuser2** · Dec 23, 2006 10:04

And just so you know, text inside single quotes is taken at face value:

PHP Code:


$var = '1';
$singquotes = '$var'; //Would output to, litlerally $var, not $var's value
$doubquotes = "$var"; //Would output $var's value.

User Tag List

Thread: Whats safer? Single or double quotes in query

Thread Tools

Display

Whats safer? Single or double quotes in query

Bookmarks

Bookmarks

Posting Permissions