Is there any differences in using single quotes vs. using double quotes around a whole SQL query?
Which is better:
This approach (with single quotes):
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = 'SELECT * FROM users WHERE username = "' . $username . '" AND password = "' . $password . '" LIMIT 1';
?
Or this approach (using double quotes):
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql = "SELECT * FROM users WHERE username = '{$username}' AND password = '{$password}' LIMIT 1";
Is there a better way to accomplish this?
For me I like the first approach as I always prefer single quotes in PHP. So I want to make sure that using single quotes around a whole SQL query is OK and using double quotes around variables or data is OK and is cross-platform and could be used with databases other than MySQL!
解决方案
Use PDO instead of either of these approaches. It will allow you to use parameters instead of strings.
$sth = $dbh->prepare('SELECT * FROM users WHERE username = :username AND password = :password LIMIT 1');
$sth->bindParam(':username', $username, PDO::PARAM_STR);
$sth->bindParam(':password', $password, PDO::PARAM_STR);
$sth->execute();
By the way, make sure that you're not using passwords in plain text at the same time.