什么時候用撇號包圍SQL字段?

[英]When to surround SQL fields with apostrophes?


I notice that when I INSERT and SELECT values to and from a database I have to surround the fields with single quotes, like so:

我注意到,當我在數據庫中插入和選擇值時,我必須用單引號將字段括起來,如下所示:

mysql_query("INSERT INTO employees (name, age) VALUES ('$name', '$age')");

mysql_query(“插入員工(姓名、年齡)值(‘$name’,‘$age’)”);

However, if I were to update the age, I would not use single quotes:

但是,如果我要更新年齡,我不會使用單引號:

mysql_query("UPDATE employees SET age = age + 1 WHERE name = '$name'");

mysql_query(“UPDATE employees SET age = age + 1,其中name = '$name'”);

Also, it seems when adding the date to a SQL database I do not have to surround it with single quotes either:

此外,在將日期添加到SQL數據庫時,似乎也不需要用單引號括起來:

mysql_query("INSERT INTO employees (name, date) VALUES ('$name', NOW())");

mysql_query(“插入員工(姓名、日期)值(‘$name’,NOW())”);

Also, when using operators like CONCAT it seems not to be necessary either:

同時,當使用像CONCAT這樣的操作符時,似乎也沒有必要:

mysql_query("UPDATE employees SET name=CONCAT(name,$lastName) WHERE id='$id'");

mysql_query(“UPDATE employees SET name=CONCAT(name,$lastName),其中id='$id'”);

Perhaps I am just coding poorly but I seem to recall if I did not surround a field with single quotes when inserting and selecting it the operation failed.

也許我只是代碼寫得很差,但我似乎記得,如果在插入和選擇字段時沒有使用單引號將字段括起來,那么操作將失敗。

4 个解决方案

#1


3  

You need to surround the values with quotes when field data type is of string eg text, char, varchar, etc or date types such as date, time, datetime.

當字段數據類型為字符串(如文本、char、varchar等)或日期類型(如日期、時間、日期時間)時,需要使用引號將值括起來。

For numerical types such as int, bigint, decimal, etc or SQL functions such as now(), current_date, you don't need quotes.

對於數字類型(如int、bigint、decimal等)或SQL函數(如now()、current_date),不需要引號。

#2


3  

"age" exists in the question as both a php variable ($age) and as a MySQL column name. Column names shouldn't be quoted (generally speaking) but the contents of a column, used in a select or insert statement, ought to be quoted.

“age”作為一個php變量($age)和一個MySQL列名存在於這個問題中。列名不應該被引用(一般來說),但是在select或insert語句中使用的列的內容應該被引用。

In particular, if the contents of a php variable haven't been set, the variable itself will vanish and this can break your syntax. Surrounding php variables with single quotes will at least protect the syntax in case the variable vanishes.

特別是,如果沒有設置php變量的內容,變量本身就會消失,這會破壞您的語法。使用單引號包圍php變量至少可以在變量消失時保護語法。

SELECT * from something where age = $age;

If for some reason $age wasn't set, such as the user didn't enter it on input, it will simply vanish and this line of code will produce a syntax error at run time because it becomes "where age = ;"

如果由於某種原因沒有設置$age,比如用戶沒有在輸入時輸入它,它就會消失,這行代碼會在運行時產生語法錯誤,因為它變成了“where age =”;

SELECT * from something where age = '$age';

If for some reason $age wasn't set, it will disappear but won't generate an error because it will become "where age = '';" and is still good syntax.

如果由於某種原因沒有設置$age,它將消失,但不會產生錯誤,因為它將變成“where age =”;並且仍然是良好的語法。

SQL injection is still possible in this instance of course but that's a different question.

當然,SQL注入在這個實例中仍然是可能的,但這是另一個問題。

#3


1  

You have to make a distinction between what kinds of things you see in a query:

你必須區分你在查詢中看到的東西:

  • reserved sql keywords: SELECT, UPDATE, WHERE, NULL, ... (not case-sensitive, but mostly used uppercase)
  • 保留sql關鍵字:SELECT, UPDATE, WHERE, NULL,…(不區分大小寫,但主要用大寫)
  • (sql) operators, and syntax tokens: + - / * . ( ) etc etc
  • (sql)操作符和語法標記:+ - / *。()等等
  • sql functions: NOW(), CONCAT(), ...
  • sql函數:NOW(), CONCAT(),…
  • fields, table names, database names: employees, age, name, date, ... which should be quoted using backticks, like `field`, to avoid confusion e.g. if you name a field ORDER
  • 字段、表名、數據庫名:雇員、年齡、姓名、日期……應該使用“字段”之類的反勾號來引用哪個選項,以避免混淆
  • values

The last group, the values, can be string literals like 'John' or "John", or numbers like 1, 10, 1e9, 1.005. NULL is a special value, which you can loosely describe as "not set".

最后一組值可以是字符串常量,如“John”或“John”,也可以是數字1、10、1e9、1.005。空值是一個特殊值,您可以粗略地將其描述為“未設置”。

Numbers don't have to be enclosed in quotes, but string literals do.

數字不必用引號括起來,但是字符串文字可以。

This description is far from complete or perfect, but it should give you a beginning of understanding.

這一描述遠非完整或完美,但它應該給你一個理解的開始。

#4


0  

String values (including single characters) must be enclosed in single quotes. This includes date constants represented using strings. Numeric values do not need quotes.

字符串值(包括單個字符)必須用單引號括起來。這包括使用字符串表示的日期常量。數值不需要引號。


注意!

本站翻译的文章,版权归属于本站,未经许可禁止转摘,转摘请注明本文地址:https://www.itdaan.com/blog/2011/03/13/7209d72daf032f4cb4e6bd5a32b5f703.html



 
粤ICP备14056181号  © 2014-2020 ITdaan.com