much quotes?

[ubik]

Hello, I am here just looking at some tutorials, and It all seems very interesting, I think I've learned more from some online tutorials than some book I'm reading, but this piece of code kind of confuses me a bit, was wondering if someone would be so kind as to possibly explain why the following code uses so many single and double quotes and also the periods after "VALUES":

PHP Code:

 $insertQuery = "INSERT INTO articles 

(title,tagline,section,thearticle) VALUES (".

"'".$HTTP_POST_VARS['title']."', ".

"'".$HTTP_POST_VARS['tagline']."', ".

$HTTP_POST_VARS['section'].", ".

"'".$HTTP_POST_VARS['thearticle']."')"; 


any help is appreciated, thanks for your time.

[MRMAN]

Howdy.
Basically there are two types of quote in that string. The first quote is a single quote. This quote is used by the mysql statement to determin a string. This means that $HTTP_POST_VARS['title'] will be entered into the database as a string.

The second type are the double quotes. In the statment above they are used by the php statement. These quotes are used to break out of the mysql statement.

For example. If you where to do this

PHP Code:

$word = "test";
print "this is a " . $word; 


when run you would get:-
this is a test
printed on the screan.


The final section are the full stops. In php these are used to concatenate, or join, string together. all these are used for in this statement is to make the statement appear on multipul lines.

You could rewrite the statment to make it easier.
llike this

PHP Code:

$insertQuery = "INSERT INTO articles (title,tagline,section,thearticle) VALUES ('".$HTTP_POST_VARS['title']."', '".$HTTP_POST_VARS['tagline']."', " . $HTTP_POST_VARS['section'].", '".$HTTP_POST_VARS['thearticle']."')"; 


that will put it on one line.

you could also do this

PHP Code:

$insertQuery = "INSERT INTO articles (title,tagline,section,thearticle) VALUES ('$HTTP_POST_VARS[title]', '$HTTP_POST_VARS[tagline]', $HTTP_POST_VARS[section], '$HTTP_POST_VARS[thearticle]')"; 


This statement will keep everything inside the mysql.

Hope this is helpfull. If not then i will try again.

[ubik]

Hello MRMAN,

thanks for responding. hey yeah i get it now.. i was thinking along the lines of mySQL statements and forgot that what I was looking at was a php string. I understand it, but I don't really understand why someone would use:

PHP Code:

 $insertQuery = "INSERT INTO articles (title,tagline,section,thearticle) VALUES (".
"'".$HTTP_POST_VARS['title']."', ".
"'".$HTTP_POST_VARS['tagline']."', ".
$HTTP_POST_VARS['section'].", ".
"'".$HTTP_POST_VARS['thearticle']."')"; 


instead of:

PHP Code:

$insertQuery = "INSERT INTO articles
(title,tagline,section,thearticle) VALUES ('$HTTP_POST_VARS[title]', '$HTTP_POST_VARS[tagline]', $HTTP_POST_VARS[section], '$HTTP_POST_VARS[thearticle]')"; 


is there any special reason or difference that you would use one way over the other?

[MRMAN]

different people like different things.
Personally i prefer the first method as i find it easier to see the php variables.

But then again i don't put $_POST ot $_GET into the mysql statement.
I usually pass it through some validation first. Just to make sure no one can be naughty.

[ubik]

oohh ok, yeah i suppose that would be good for syntax highlighted editors, lol i need to get me one of those. hey thanks for your help. right on about the security that's what im reading up on now.

[degsy]

It also depends on how fiddly your code is and what quotes you are using.

Double quotes process the data and so in theory would take more processing time.

PHP Code:

$str = "This string contains 'single quotes'"; 


But if you have single quotes within a single quotes string then they would have to be escaped.

PHP Code:

$str = 'This string contains \'single quotes\''; 


For outputting code you also have the ability to break in and out of languages

PHP Code:

<?php
$str = "Hello World";
?>
<p><?php echo $str; ?></p>