PHP双引号内的单引号
我在准备插入语句时为何在双引号内使用单引号有疑问。我的理解是带有双引号的变量将被解释。单引号的变量将不会被解释。
I am having question about why single quote should be used within the double quote when preparing insert statement. My understanding is variable with double quotes will get interpreted. variable with single quotes will not get interpreted.
$var1 = 5; print "$var1"; //output value 5
$var2 = 'jason'; print '$var2'; //output $var2
我不确定为什么在值的部分使用单引号下面的代码。
请给我一些解释。谢谢!
I am not sure why the single quotes are used in the values section in the code below. Please give me some explanation. Thanks!
$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];
$stmt = $con->prepare("insert into reg_data (first_name, last_name)
values('$first_name', '$last_name')");
您使用的引号是正确的,但是错误地使用准备好的语句-您的代码容易受到 SQL注入的攻击!而是,在查询中使用占位符(不带引号),并在以后传递实际值,如示例:
Your usage of quotes is correct, but you're using prepared statements incorrectly - your code is vulnerable to SQL injection! Instead, use placeholders (without quotes) in the query, and pass in the actual values later, as in the example:
$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];
$stmt = $con->prepare("insert into reg_data (first_name, last_name)
values(:first_name, :last_name)");
$stmt->execute(array(':first_name' => $first_name, ':last_name' => $last_name));