is this statement right ?

[runeveryday]

Code:

$q = $dbh->query("SELECT dish,price FROM meals WHERE meal LIKE '" . $_POST['meal'] ."'");

i have looked for lots of articles,finding in mysql,behind LIKE there are two
institutions,some use '',and some use " ",i don't know which is right ?

two:
in the above it uses " behind LIKE,i think it's wrong,and the right is
LIKE ' $_POST['meal'] '"); am i right ?

[Dan Grossman]

You have two syntaxes to think about, PHP and SQL.

The SQL query you want will have single quotes in it.

Code:

SELECT dish, price FROM meals WHERE meal LIKE '%something%'

The PHP code is building a string by concatenating literal strings, enclosed in double quotes, with variables.

PHP Code:

$string = "Some literal concatenated with a " . $variable . " plus another literal string"; 


Your literal string contains single quotes, so you will have single quotes within the double quoted literal.

PHP Code:

$string = "A literal with 'single quotes' inside of it."; 


The single quotes just happen to need to be before and after the variable you're concatenating with the strings, so you get the double quotes following the single quotes.

PHP Code:

$string = "A string with a '" . $variable . "' enclosed in single quotes."; 


[runeveryday]

according to your said,

You have two syntaxes to think about, PHP and SQL.


The PHP code is building a string by concatenating literal strings, enclosed in double quotes, with variables.

PHP Code:

$string = "Some literal concatenated with a " . $variable . " plus another literal string"; 


The single quotes just happen to need to be before and after the variable you're concatenating with the strings, so you get the double quotes following the single quotes.

PHP Code:

$string = "A string with a '" . $variable . "' enclosed in single quotes."; 


i find the two example is the same,both hava a variable to concatenate,but the display is different,one has an single quotes after a,one don't.why ?

[runeveryday]

i know ,the above's output is only the $variable ,but the next is the $variable 's value.is this the reason?

[Dan Grossman]

The examples are not the same; in one instance the resulting string assigned to $string has single quotes within the string, in the other it does not. It's not syntax there, it's part of the string you're assigning to a variable. Play around with it until you figure it out. Your goal is to build a SQL query, a string, that contains single quotes, as that's the SQL syntax. The reason for the single quotes in the code will become obvious.