This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
MySQL - when to use single quotes, double quotes, and backticks?
Question 1
Why does this work?
"SELECT `id` FROM `table` WHERE x= '".$y."'"
but not this?
"SELECT `id` FROM `table` WHERE 'x' = '".$y."'"
^ ^
Notice the extra single quotes
Question 2
Is it better to do id over `id` (with the weird quotes)?
Or is it because that double quotes make it interpret as a variable?
because the server reads x as a value as it is wrap with single quote. backtick escapes a reserved keyword used within the query, usually it is used to wrap around columnNames and tableNames.
in your query,
SELECT `id` FROM `table` WHERE 'x' = '$y'
x there is not a column but a string value.
for question 2, you can eliminate those backticks around id since it is not a Reserved Keyword, here is a full list of reserved keywords in MySQL
MySQL Reserved Keyword
As a sidenote, the query is vulnerable with SQL Injection. Please take a look at the article below to learn how to prevent from it. By using PreparedStatements you can get rid of using single quotes around values.
How to prevent SQL injection in PHP?
Related
This question already has an answer here:
Syntax error due to using a reserved word as a table or column name in MySQL
(1 answer)
Closed 6 years ago.
I have a simple update query, but it is not working:
update user set active = 'Y' , delete = 'N' where id = 1;// not working
but if I add a special character which phpmyadmin uses then it is working
update `user` set `active` = 'Y' , `delete` = 'N' where `id` = 1;//its working but its database generated
and there is no difference except the ` special character which is not mandatory.
delete is MySQL reserved keywords.
https://dev.mysql.com/doc/refman/5.7/en/keywords.html
By adding backtick, you are telling MySQL that the word enclosed is not a MySQL keyword but, rather a database name, table name or field name.
Thus, any conflict is avoided.
DELETE is a reserved keyword in SQL. Without escaping it with the backtick character you will get a syntax error and the query will not work.
I have this code that does not work, and im not sure why...
if(isset($_GET['id'], $_SESSION['username'])){
$id = $_GET['id'];
$user = $_SESSION['username'];
$query = $handler->query("INSERT INTO photolikes('User', 'Photo')
SELECT '$user', '$id'
WHERE NOT EXISTS (SELECT Id FROM photolikes WHERE User='$user' AND Photo=$id)");
}else{
}
Is just supposed to insert user and photo into a table if there is no such in there before... thanks for any help!
The SELECT is missing the FROM clause which is required when a WHERE clause is used.
That's the problem.
There's a couple of ways to fix it.
For a quick fix, you can add FROM DUAL before the WHERE.
If you don't like your MySQL queries looking like they are Oracle queries, you can use an inline view as a rowsource.
In place of FROM DUAL you could use FROM (SELECT 1) i.
That's the less-Oracle-more-MySQL-like way of fixing it. That's how I would do it.
You could also reference any table or view that you are guaranteed returns exactly one row. (It can't be zero rows, and it can't be two rows.
A couple other notes:
In MySQL, identifiers (for example column names) can be escaped with backtick characters, but not single quotes. Identifiers only need to be escaped if they contain characters that aren't allowed (in unescaped identifiers) or if the identifier conflicts with a reserved word.
INSERT INTO photolikes(`User`, `Photo`)
^ ^ ^ ^
Also, the code appears to be vulnerable to SQL Injection. Potentially unsafe values that are incorporated into the text of a SQL statement should be properly escaped. But an even better pattern is to use prepared statements with bind placeholders.
INSERT INTO photolikes(`User`, `Photo`)
SELECT '$user', '$id'
FROM <someTable>
^^^^ you miss the FROM
WHERE NOT EXISTS (SELECT Id
FROM photolikes -- Here you didnt forget.
WHERE User='$user' AND Photo=$id)")
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I'm converting all MySQL to MySQLi pages. I need to select all rows where a column starts with a letter.
On MySql If I want all rows starting with P, I used to add % to P, so I'll search all entries LIKE P%, but it's not working on MySQLi
If $type = P%
$result = $mysqli->query("SELECT * FROM my_table WHERE column LIKE $type");
I get no results.
I appreciate any help you can provide.
Try putting quotes around the variable in the query so that it looks like this :
$result = $mysqli->query("SELECT * FROM my_table WHERE column LIKE '$type'");
This will probably solve the problem.
This question already has answers here:
When to use single quotes, double quotes, and backticks in MySQL
(13 answers)
Closed 7 years ago.
I have a table with a primary column "MatchId", followed by many other columns.
Unfortunately, I can't seem to get my insert/update query right: Even if I only want to insert an MatchId (Not auto-increment by the way), I get the error Unknown column in 'field list'...
Here is my query:
INSERT INTO `stats` (`MatchId`) VALUES (`123456`);
How do I insert something in this table without getting this error?
You have the wrong types of quotes around the value. Backticks are used around table and column names. To quote a string, use single or double quotes:
INSERT INTO `stats` (`MatchId`) VALUES ('123456');
If it's an integer, you don't need to quote it at all:
INSERT INTO `stats` (`MatchId`) VALUES (123456);
Putting a value in backticks forces it to be treated as a column name, even though it has the syntax of a number. Backticks are the way that MySQL allows you to use column names that have unusual syntax.
Test it in phpmyadmin the unrecognised field is "123456". Change your SQL and wrap the value in single quotes
I have a little problem with escaping table name. I was so stupid that i choose "show" for the name of table. When I use mysqli connection the escaping works fine, but its not working with classical mysql connection. Any advise?
Sorry for my English, I am not native speaker.
SELECT SQL_CALC_FOUND_ROWS year, nameShow
FROM `show`
LIMIT 0, 10
I get error as
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'show' at line 2 –
Query
$sQuery = "
SELECT SQL_CALC_FOUND_ROWS year, nameShow
FROM `show`
$sWhere
$sOrder
$sLimit
";
Section 9.3 of MySQL 5.1 Reference Manual says back ticks (`) or double quotes ("), however, I'd go with Fahim Parkar's comment above and just rename the table.
Also worth noting, you must use ANSI_QUOTES SQL mode if using double quotes per Section 9.2:
If the ANSI_QUOTES SQL mode is enabled, it is also permissible to
quote identifiers within double quotation marks
The problem is with YEAR not with SHOW. YEAR is a MySQL function.
Best practice is to quote column and tables names all the time, makes things easy to read also.
Should be:
SELECT SQL_CALC_FOUND_ROWS `year`, `nameShow`
FROM `show`
LIMIT 0, 10
Backticks should work fine
try putting a comma after SQL_CALC_FOUND_ROWS,
SELECT SQL_CALC_FOUND_ROWS, year, nameShow
FROM `show`
LIMIT 0, 10