simple php Dollar $ evaluation in string questions

I have always been confused that .e,g in php i have sql statement

$qry = "select * from table where id = $id";

now can i insert "$" directly inside the quotes or i have to use

 $qry = "select * from table where id =".$id." ";

or

 $qry = 'select * from table where id = $id';

or

 $qry = 'select * from t开发者_运维知识库able where id = '$id'';

Which is correct

If the string is in double quotes, variables will be evaluated. If it's in single quotes, it's literal and you'll get exactly what you type.

$bar = 42;
'Foo $bar Baz'           // Foo $bar Baz
"Foo $bar Baz"           // Foo 42 Baz
'Foo ' . $bar . ' Baz'   // Foo 42 Baz
'Foo ' . '$bar' . ' Baz' // Foo $bar Baz
"$bar " . $bar . " $bar" // 42 42 42    

Here is the relevant manual section for a full explanation:
http://php.net/manual/en/language.types.string.php#language.types.string.parsing

To put actual quotes into the string, you'll need to alternate them or escape them.

'"$bar"'    // "$bar"
"'$bar'"    // '42'
'\'$bar\''  // '$bar'
"\"$bar\""  // "42"
''$bar''    // syntax error, empty string '' + $bar + empty string ''

Also, what he said.

None of the above, unless $id happens to be SQL escaped already. You'll probably want to use this, assuming you're using MySQL:

$qry = "select * from table where id = '".mysql_real_escape_string($id)."'";

Edit: Okay, that was incorrect. As per the comment on my answer, this should work:

$qry = "select * from table where id = ".(int)$id;

You can also try explicit variable denotation in strings like so:

$query = "SELECT * FROM table WHERE id = {$id}";

This allows you to do stuff like:

$name = "friend";
$str = "Hello {$name}s"; // Hello friends

where you couldn't do that if you tried:

$str = "Hello $names";

Since it would try to expand a variable called $names.

Variables enclosed in single quotes are not expanded and are treated as literals, so 'hey, $id' will be exactly that, instead of the 'hey, 1' expected if you used double quotes.

You can also try sprintf:

$query = sprintf("SELECT * FROM table WHERE id = %d", $id);

As the first poster said, definitely sanitize your data before queries are run.

Both

$qry = "select * from table where id = $id";

and

$qry = "select * from table where id = " . $id;

will work and will give you the same value in $qry. Note there's no need for the ." " you had at the end of the second - all that does is append a space, which is pretty pointless.

You can also do

$qry = 'select * from table where id = ' . $id;

Which does exactly the same as the other two. They're all "correct" in that they all give you the desired result, and they all have their place. The first is quite inefficient because of the way PHP handles interpolated strings (see here for an in depth explanation), but is arguably cleaner and quicker than the other two.

I am using this $qry = "SELECT * FROM table WHERE id=$id"; as I think that INT does not need quotes.

otherwise I am using $qry = "SELECT * FROM table WHERE name='$name'"; however $name need to be filtered...

Theres a simple way to remember this.

By using the double qoutes " your telling php that this string should be parsed for php variables.

by using the sing qoutes ' your telling php not to convert any variables into there values.

But also take not at carriages such as \r and \n by using a single qoute the carriege is not taken into consideration and it will print a literal \r or \n, but my using the double qoutes the will be converted into there actual entites such as

see what i did there :)

Hope this helps.