Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

what does curly brackets {} do in a SQL query? [duplicate]

Tags:

php

mysql

For example, check this following query;

$query = "SELECT * FROM users WHERE user='{$_POST['username']}';  

What's the use?

In string contexts, I do understand the problem it solves.
I can do stuff like $animal = "cat" echo "{$animal}s." // outputs cats

but in the SQL I posted above, I just don't get it. Wouldn't the following be equally good?

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'";  

So, Where does using the { and } get handy? Appreciate any example in SQL context?

like image 229
Average Joe Avatar asked Feb 01 '12 23:02

Average Joe


People also ask

What do curly brackets mean in SQL?

In SQL syntax notation, curly brackets enclose two or more required alternative choices, separated by vertical bars. [ ] In SQL syntax notation, square brackets indicate an optional element or clause. Multiple elements or clauses are separated by vertical bars.

What is the purpose of curly brackets?

In writing, curly brackets or braces are used to indicate that certain words and/or sentences should be looked at as a group. Here is an example: Hello, please pick your pizza toppings {chicken, tomatoes, bacon, sausage, onion, pepper, olives} and then follow me.

Does brackets work in SQL?

Square brackets[], is among the wildcard operators used in SQL with the LIKE clause. It is used to match any single character within the specified range like ([b-h]) or set ([ghijk]).

How do you escape curly braces in SQL?

"#$%&''()*+,./0-9A-Za-z:;<=>@[\]-^]%' ESCAPE '\' works as well.


2 Answers

See http://www.php.net/manual/de/language.types.string.php#language.types.string.parsing for the double quote string syntax.

The curly braces are for complex variable expressions. They are interpreted by PHP, not by the SQL interface.

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'";  

The above will lead to an parsing error. Without curly braces you have to write:

$query = "SELECT * FROM users WHERE user='$_POST[username]' AND password='$_POST[password]'";  

Note the lack of key quotes. This only works for a simple array access, and for a simple object property expression. For anything more complex, use the curly braces.


Now that you know that, do a pinky swear that you won't ever do so. Because interpolating user input directly there is not a good idea. http://bobby-tables.com/

Do yourself a favour and use PDO with prepared statements. So much easier.


But to give an example for a more complex curly string syntax, this is what I'd do:

$query = "SELECT * FROM users WHERE user={$_POST->id->sql['username']}";

(Does some inline filtering and quoting. Just as example, does not work with default PHP setups.)

like image 138
mario Avatar answered Nov 14 '22 22:11

mario


PHP can not convert a dictionary item directly in a string. You have to do like this:

query = "SELECT * FROM users WHERE user='" . $_POST['username'] . "' AND password='" . $_POST['password'] . "'";

the curlybrackets is a other way to write this without concating strings like my example

like image 20
Andreas Helgegren Avatar answered Nov 14 '22 22:11

Andreas Helgegren