What is the difference between the quotes " and ' ? What about `? Is there an error in using different quotes ' and " below?
$result = pg_query_params($dbconn,
'INSERT INTO users
(username, email, passhash_md5)
VALUES ($1, $2, $3)',
array($username, $email, $passhash_md5
)
$result = pg_query_params( $dbconn,
"SELECT user_id
FROM users
WHERE email = $1",
array( $email )
)
You could use a preg_match_all(...):
$text = 'Lorem ipsum "dolor sit amet" consectetur "adipiscing \"elit" dolor';
preg_match_all('/"(?:\\.|[^\\"])*"|S+/', $text, $matches);
print_r($matches);
which will produce:
Array
(
[0] => Array
(
[0] => Lorem
[1] => ipsum
[2] => "dolor sit amet"
[3] => consectetur
[4] => "adipiscing "elit"
[5] => dolor
)
)
And as you can see, it also accounts for escaped quotes inside quoted strings.
EDIT
A short explanation:
" # match the character '"'
(?: # start non-capture group 1
\ # match the character ''
. # match any character except line breaks
| # OR
[^\"] # match any character except '' and '"'
)* # end non-capture group 1 and repeat it zero or more times
" # match the character '"'
| # OR
S+ # match a non-whitespace character: [^s] and repeat it one or more times
And in case of matching %22 instead of double quotes, you'd do:
preg_match_all('/%22(?:\\.|(?!%22).)*%22|S+/', $text, $matches);
First of all, some people will say that simple-quoted strings are faster that double-quoted strings ; you should not care about that kind of micro-optimization : it will not make any difference for your application.
The difference between simple-quoted and double-quoted strings is :
n, t, ...For reference, in the PHP manual :
I would that that, in the general matter, it's mostly a matter of personnal preferences...
Personnaly, in a situation such as the one you described, I would use a double-quoted string, like you did : it make the code easier to both write and read, as you don't have to escape that quote.
I think this is a little cleaner and avoids reference bugs:
function unMagicQuotify($ar) {
$fixed = array();
foreach ($ar as $key=>$val) {
if (is_array($val)) {
$fixed[stripslashes($key)] = unMagicQuotify($val);
} else {
$fixed[stripslashes($key)] = stripslashes($val);
}
}
return $fixed;
}
$process = array($_GET,$_POST,$_COOKIE,$_REQUEST);
$fixed = array();
foreach ($process as $index=>$glob) {
$fixed[$index] = unMagicQuotify($glob);
}
list($_GET,$_POST,$_COOKIE,$_REQUEST) = $fixed;
Your usage of quotes is correct, but you're using prepared statements incorrectly - your code is vulnerable to SQL injection! Instead, use placeholders (without quotes) in the query, and pass in the actual values later, as in the example:
$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];
$stmt = $con->prepare("insert into reg_data (first_name, last_name)
values(:first_name, :last_name)");
$stmt->execute(array(':first_name' => $first_name, ':last_name' => $last_name));
Variable-substitution isn't done when using single quotes ('), meaning that the values in your first example would literally be $1 $2 etc if it was a regular string and not passed on to a function that replaces them.
If you don't need variable-substitiution, it's better to stick with single quotes for performance reasons.
`` invokes the shell-engine and invokes it as an actual command, and returning the result, just like in perl. Hence, it has a completely different meaning.
examples:
$sql1 would be SELECT user_id FROM users WHERE email = user@example.org
$sql2 would be SELECT user_id FROM users WHERE email = $email