For example, check this following query;

$query = "SELECT * FROM users WHERE user='{$_POST['username']}'; 

What's the use?

In string contexts, I do understand the problem it solves.
I can do stuff like $animal = "cat" echo "{$animal}s." // outputs cats

but in the SQL I posted above, I just don't get it. Wouldn't the following be equally good?

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'"; 

So, Where does using the { and } get handy? Appreciate any example in SQL context?

3

2 Answers

See for the double quote string syntax.

The curly braces are for complex variable expressions. They are interpreted by PHP, not by the SQL interface.

$query = "SELECT * FROM users WHERE user='$_POST['username']' AND password='$_POST['password']'"; 

The above will lead to an parsing error. Without curly braces you have to write:

$query = "SELECT * FROM users WHERE user='$_POST[username]' AND password='$_POST[password]'"; 

Note the lack of key quotes. This only works for a simple array access, and for a simple object property expression. For anything more complex, use the curly braces.


Now that you know that, do a pinky swear that you won't ever do so. Because interpolating user input directly there is not a good idea.

Do yourself a favour and use PDO with prepared statements. So much easier.


But to give an example for a more complex curly string syntax, this is what I'd do:

$query = "SELECT * FROM users WHERE user={$_POST->id->sql['username']}"; 

(Does some inline filtering and quoting. Just as example, does not work with default PHP setups.)

2

PHP can not convert a dictionary item directly in a string. You have to do like this:

query = "SELECT * FROM users WHERE user='" . $_POST['username'] . "' AND password='" . $_POST['password'] . "'"; 

the curlybrackets is a other way to write this without concating strings like my example