¿Qué hacen las llaves {} en una consulta SQL? [duplicar]

For example, check this following query;

$query = "SELECT * FROM users WHERE user='{$_POST['username']}';  

¿Cual es el uso?

In string contexts, I do understand the problem it solves.
I can do stuff like $animal = "cat" echo "{$animal}s." // outputs cats

but in the SQL I posted above, I just don't get it. Wouldn't the following be equally good?

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'";  

So, Where does using the { and } get handy? Appreciate any example in SQL context?

preguntado el 01 de febrero de 12 a las 23:02

You should tag this with the other programming language too - php? -

Your query is a string just like any other. The only difference is that your database engine can do something useful with it. -

@blorgbeard, you are right, I should have tagged in as PHP. On a different note.. how do you create line breaks when you write comments like this one... the moment you hit the enter, it kicks the Agregar un comentario! botón. -

2 Respuestas

Consulte nuestra página http://www.php.net/manual/de/language.types.string.php#language.types.string.parsing for the double quote string syntax.

The curly braces are for complex variable expressions. They are interpreted by PHP, not by the SQL interface.

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'";  

The above will lead to an parsing error. Without curly braces you have to write:

$query = "SELECT * FROM users WHERE user='$_POST[username]' AND password='$_POST[password]'";  

Note the lack of key quotes. This only works for a simple array access, and for a simple object property expression. For anything more complex, use the curly braces.

Now that you know that, do a pinky swear that you won't ever do so. Because interpolating user input directly there is not a good idea. http://bobby-tables.com/

Hazte un favor y usa PDO con declaraciones preparadas. So mucho más fácil.

But to give an example for a more complex curly string syntax, this is what I'd do:

$query = "SELECT * FROM users WHERE user={$_POST->id->sql['username']}";

(Does some inline filtering and quoting. Just as example, does not work with default PHP setups.)

contestado el 23 de mayo de 17 a las 14:05

In addition, the curly braces may also prevent PHP from interpreting too many characters as the variable name. For example if you have $var y $var2: print "$var_and_var2" will not work, you'll need to use print "{$var}_and_{$var2}"` (...Or use printf() or string concatenation...) - Martín Tournoij

@mario, "The curly braces are for complex variable expressions. They are interpreted by PHP, not by the SQL interface ". That does it Mario. Also, yeah, I wasn't careful with my example where I overlooked '$_POST['username']' part.. of course, the ` will fail me right there. Also, your point on not interpolating input in the midst of SQL, very well taken... That was just an example to draw the attention to the { } stuff. but yeah... you are right on the money! - Joe medio

PHP can not convert a dictionary item directly in a string. You have to do like this:

query = "SELECT * FROM users WHERE user='" . $_POST['username'] . "' AND password='" . $_POST['password'] . "'";

the curlybrackets is a other way to write this without concating strings like my example

Respondido 02 Feb 12, 03:02

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.