Viewed   82 times

What is the difference between the quotes " and ' ? What about `? Is there an error in using different quotes ' and " below?

 $result = pg_query_params($dbconn,
      'INSERT INTO users 
      (username, email, passhash_md5)
      VALUES ($1, $2, $3)',
          array($username, $email, $passhash_md5

      $result = pg_query_params( $dbconn,
          "SELECT user_id
           FROM users
          WHERE email = $1",
          array( $email )



Variable-substitution isn't done when using single quotes ('), meaning that the values in your first example would literally be $1 $2 etc if it was a regular string and not passed on to a function that replaces them.

If you don't need variable-substitiution, it's better to stick with single quotes for performance reasons.

`` invokes the shell-engine and invokes it as an actual command, and returning the result, just like in perl. Hence, it has a completely different meaning.


$email = '';
$sql1 = "SELECT user_id FROM users WHERE email = $email";
$sql2 = 'SELECT user_id FROM users WHERE email = $email';

$sql1 would be SELECT user_id FROM users WHERE email =

$sql2 would be SELECT user_id FROM users WHERE email = $email

Tuesday, August 9, 2022

You could use a preg_match_all(...):

$text = 'Lorem ipsum "dolor sit amet" consectetur "adipiscing \"elit" dolor';
preg_match_all('/"(?:\\.|[^\\"])*"|S+/', $text, $matches);

which will produce:

    [0] => Array
            [0] => Lorem
            [1] => ipsum
            [2] => "dolor sit amet"
            [3] => consectetur
            [4] => "adipiscing "elit"
            [5] => dolor


And as you can see, it also accounts for escaped quotes inside quoted strings.


A short explanation:

"           # match the character '"'
(?:         # start non-capture group 1 
  \        #   match the character ''
  .         #   match any character except line breaks
  |         #   OR
  [^\"]    #   match any character except '' and '"'
)*          # end non-capture group 1 and repeat it zero or more times
"           # match the character '"'
|           # OR
S+         # match a non-whitespace character: [^s] and repeat it one or more times

And in case of matching %22 instead of double quotes, you'd do:

preg_match_all('/%22(?:\\.|(?!%22).)*%22|S+/', $text, $matches);
Tuesday, October 4, 2022

First of all, some people will say that simple-quoted strings are faster that double-quoted strings ; you should not care about that kind of micro-optimization : it will not make any difference for your application.

The difference between simple-quoted and double-quoted strings is :

  • with double-quoted strings, there is variable interpolations
  • with double-quoted strings, you can use some special characters like n, t, ...
  • with single-quoted strings, you have simple-quotes to escape.

For reference, in the PHP manual :

  • Single quoted
  • Double quoted

I would that that, in the general matter, it's mostly a matter of personnal preferences...

Personnaly, in a situation such as the one you described, I would use a double-quoted string, like you did : it make the code easier to both write and read, as you don't have to escape that quote.

Friday, November 18, 2022

I think this is a little cleaner and avoids reference bugs:

function unMagicQuotify($ar) {
  $fixed = array();
  foreach ($ar as $key=>$val) {
    if (is_array($val)) {
      $fixed[stripslashes($key)] = unMagicQuotify($val);
    } else {
      $fixed[stripslashes($key)] = stripslashes($val);
  return $fixed;

$process = array($_GET,$_POST,$_COOKIE,$_REQUEST);
$fixed = array();
foreach ($process as $index=>$glob) {
  $fixed[$index] = unMagicQuotify($glob);
list($_GET,$_POST,$_COOKIE,$_REQUEST) = $fixed;
Wednesday, November 16, 2022

Your usage of quotes is correct, but you're using prepared statements incorrectly - your code is vulnerable to SQL injection! Instead, use placeholders (without quotes) in the query, and pass in the actual values later, as in the example:

$first_name = $_POST['first_name'];
$first_name = trim($first_name);
$last_name = $_POST['last_name'];

$stmt = $con->prepare("insert into reg_data (first_name, last_name) 
                       values(:first_name, :last_name)");
$stmt->execute(array(':first_name' => $first_name, ':last_name' => $last_name));
Friday, December 9, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :