PHP双引号内的单引号 [英] PHP single quotes within the double quote

问题描述

我在准备插入语句时为何在双引号内使用单引号有疑问。我的理解是带有双引号的变量将被解释。单引号的变量将不会被解释。

I am having question about why single quote should be used within the double quote when preparing insert statement. My understanding is variable with double quotes will get interpreted. variable with single quotes will not get interpreted.

$var1 = 5; print "$var1"; //output value 5
$var2 = 'jason'; print '$var2'; //output $var2

我不确定为什么在值的部分使用单引号下面的代码。
请给我一些解释。谢谢！

I am not sure why the single quotes are used in the values section in the code below. Please give me some explanation. Thanks!

$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];

$stmt = $con->prepare("insert into reg_data (first_name, last_name) 
                       values('$first_name', '$last_name')");

推荐答案

您使用的引号是正确的，但是错误地使用准备好的语句-您的代码容易受到 SQL注入的攻击！而是，在查询中使用占位符（不带引号），并在以后传递实际值，如示例：

Your usage of quotes is correct, but you're using prepared statements incorrectly - your code is vulnerable to SQL injection! Instead, use placeholders (without quotes) in the query, and pass in the actual values later, as in the example:

$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];

$stmt = $con->prepare("insert into reg_data (first_name, last_name) 
                       values(:first_name, :last_name)");
$stmt->execute(array(':first_name' => $first_name, ':last_name' => $last_name));

这篇关于PHP双引号内的单引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！