为什么VALUES在发送到数据库时写在引号之间？

I am not entirely sure if I should post it on here or not since it does not contain any real coding, but I have been thinking about it for a long time and no one could really give me a good answer (from the people of I have been asking / the research done). I have been taught to write (when inserting something into the DB) to write:

$sql = "INSERT INTO usertimes (name,date,amount,times)
VALUES ('$name', CURDATE(), '$amount', '$times') ON DUPLICATE KEY UPDATE    
date=CURDATE(), amount='$amount', times='$times'";

This is just an example however, but I have been wondering; Why are there quotes around the variable names? Don't these variables remain variables technically speaking? I did some research as mentioned before, but that doesn't really explain why we do so, I just find stuff related to this: Add quotes around variable My apologies if it's a newb question and-or if it shouldn't be posted here. I'm just curious why we do so since from the start we learn a variable shouldn't have quotes around it or you will litterly take over the quote (for example: you would see $times instead of the value given to $times).

Cheers!

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
duanjia1870 2018-06-04 14:00
关注
Let's look at a simplified example:

$foo = "world"; echo "Hello $foo";

$foo is a variable holding a string, and the echo statement "interpolates" into another string. The string from $foo will be placed directly into the string, and you won't be able to see the "join". The output will be Hello world.

Now let's add some quotes inside the string:

echo "Hello '$foo'";

The $foo is still interpolated and loses its identity, but the ' characters are also part of the final string. The output will be Hello 'world'.

In your SQL, this is what you are doing - you are combining several strings into one, and the result happens to be an SQL statement. Let's say the SQL you want to end up with looks like this:

SELECT * FROM things WHERE thing_name = 'world'

Those quotes are how you tell the SQL parser in the database that 'world' is a string and not, say, the name of a column.

Using our definition of $foo from earlier, we can construct this like so:

$sql = "SELECT * FROM things WHERE thing_name = '$foo'";

We still need the single-quotes, because they're part of the SQL we're trying to create.

However, as others have pointed out, this is also where the risk of "SQL injection" comes from. Imagine an attacker is able to trick us into setting $foo to a value of their choice:

$foo = "world'; DROP TABLE things; --";

Now when we build our SQL string we end up with this:

SELECT * FROM things WHERE thing_name = 'world'; DROP TABLE things; --'

Oops!

The safest protection against this actually does involve passing the variable as a variable, and not merging it into the string. In essence, you pass the database two things: a "parametrised statement", and the "parameters" to use with it. The statement might look like this:

SELECT * FROM things WHERE thing_name = :foo

Note that unlike in our naive interpolation, we don't put quotes around the placeholder :foo. That's because when used correctly, no text will ever be substituted here. Instead, the database will "prepare" the statement as a query like "select all the columns from the table things based on a value to be matched against thing_name", and the "execute" it by saying "match this variable against thing_name".

Now when we pass our attackers string as the parameter for :foo, we just get a query looking for things with that name; since there presumably won't be any, all we'll get is an empty result.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

查看更多回答(1条)

报告相同问题？

关注问题

为什么VALUES在发送到数据库时写在引号之间？ php
2018-06-04 13:39

回答 2 已采纳 Let's look at a simplified example: $foo = "world"; echo "Hello $foo"; $foo is a variable holdi
为什么mysql数据在PHP中显示时会有单引号？ php
2015-09-22 06:12

回答 3 已采纳 Because you put Single Quotes in the HTML ? echo" <table border='1'> <tr
如何在数据库中插入带双引号的值？ php sql
2015-07-23 08:55

回答 2 已采纳 Have you tried using prepared statements? This way you don't have to worry about adding the quotes
php insert into 引号,PHP-如何在数据库中插入具有双引号的值？
2021-04-27 05:29

段云琦的博客 message (user_id,subject,message,background_url,total_recipients,created_at) values ('115','Greeting','Hx z'xi','/images/default/1.jpg',2,'2015-07-23 10:48:41')对于消息列,我使用了带单引号的值,...
为什么我们需要在将字符串变量插入mysql数据库php时包含引号 mysql php
2013-08-11 11:49

回答 2 已采纳 This is how the MySQL syntax works. PHP is merely constructing the query for you. PHP will replac
这个为什么没办法插入到数据库？ java mysql
2020-01-08 14:00

回答 3 已采纳 ``` order可以作为表名，但是要这么写 INSERT INTO `order`(orderid,mname,address,telephone,pname,note,price,num)
PHP如何批量提交到数据库？ php
2022-02-25 12:44

回答 2 已采纳 <?php require '../untils/functions.php'; $sn = $_POST['sn']; $model = $_POST['model'];
php数据库连接时容易出错的特殊符号问题
2021-01-20 00:18

而VALUES后面的值则是用单引号包起来的，据说这样是一种防注入的措施。复制代码代码如下: $sql=”INSERT INTO `表名` (`字段1`,`字段2`) VALUES (‘值1’，’值2’)”; mysql_query($sql); 您可能感兴趣的文章:...
如何在将新产品添加到数据库时自动向用户发送电子邮件？ mysql php
2016-02-10 16:01

回答 3 已采纳 I have created new table 'obavijest'. CREATE TABLE IF NOT EXISTS `obavijest` ( `id` int(10
mybatis 插入语句怎么写, values里面有单引号数据库开发
2021-07-28 19:22

回答 1 已采纳空间函数''里面把#｛｝占位改成$｛｝占位试试
如何在数据库列中插入类型为string的数组？ laravel php
2019-07-24 10:40

回答 7 已采纳 You could use php implode() function to join the string array into one string like this: $user-&g
php插入数据到数据库怎么写,PHP怎么插入数据库
2021-04-12 15:35

weixin_39548805的博客 PHP如何插入数据库$ostype=$_POST['ostype'];$uuid=$_POST['uuid'];$nowtime=time();$username='XXXX';$userpass='XXXX';$dbhost='localhost';$dbdatabase='XXX';//生成一个连接$db_connect=mysql_connect($dbhost,$...
将数据添加到数据库中发生错误，如何解决？ java mysql sql
2022-11-17 17:13

回答 5 已采纳因为你插入的时候没有插入hid，而且你的hid非空所以这里报错hid没有默认值这样改 ALTER TABLE household MODIFY hid NOT NULL PRIMARY KEY AU
php mysql单引号_插入MySQL时，在PHP中转义单引号
2021-03-16 23:45

虾仁芝麻卷的博客本问题已经有最佳答案，请猛点这里访问。我有一个令人费解的...问题是，似乎只有一个引号在第二个条目上触发了MySQL错误！！！！第一个实例毫无问题地工作，但第二个实例触发了mysql_error()。表单中的数据处理方...
数据库php插入数据失败,我在向数据库插入数据时出错
2021-04-28 04:34

釹王控小桃花的博客您必须将字符串(文本)括在引号中('John Doe')，inserts如下所示:insert intotable(column1,column2)values(value_of_column_1,value_of_column_2)我不知道您的PHP代码，但我认为您应该使用准备好的语句(docs for ...
没有解决我的问题, 去提问

悬赏问题

¥60 用visual studio编写程序，利用间接平差求解水准网
¥15 Llama如何调用shell或者Python
¥20 谁能帮我挨个解读这个php语言编的代码什么意思？
¥15 win10权限管理，限制普通用户使用删除功能
¥15 minnio内存占用过大，内存没被回收（Windows环境）
¥65 抖音咸鱼付款链接转码支付宝
¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
¥15 blast算法（相关搜索：数据库）
¥15 请问有人会紧聚焦相关的matlab知识嘛？
¥15 网络通信安全解决方案

为什么VALUES在发送到数据库时写在引号之间？

2条回答 默认 最新

悬赏问题

2条回答默认最新