What does {} do in MySQL queries?

Question

I tried this Google query but it didn't show up (possibly because { was parsed as some special character or ignored).

I saw a query made on an example somewhere that looks like this:

SELECT `id` FROM areas WHERE `name` = '{$listing['cityname']}'

And this was in PHP (so inside mysql_query())

My best guess is it searches as a Lowercase (same as LOWER(name) AS...) but I want to be 100% sure how that's supposed to work.

Answer 1

That's PHP syntax, not MySQL syntax. It allows you to interpolate complex expressions in a double-quoted string. So in your example, the array index $listing['cityname'] will be evaluated, and its value used in your query.

It has nothing to do with SQL whatsoever.

By the way, that's a gaping SQL injection vulnerability, assuming the array value hasn't yet been escaped with something like mysql_real_escape_string(). Most people use prepared statements for building SQL queries these days.