A MySQL query, with 'crases' vs without

4

With quotes is the query safer or less?

$Query = "Select * from 'tabela' WHERE 'id' = '1'";


vs

$Query = "Select * from tabela WHERE id = 1";
    
asked by anonymous 08.08.2015 / 20:17

2 answers

6

It depends. If you know what you're doing, either. If you do not know the first one is better, so you avoid conflicts that may arise and not know how to solve. Some programmers adopt this form by default, others adopt the second form, and only when they need to use the backtick , is the correct name used.

It is no longer safe to do this, security comes from correct practices. This helps avoid certain types of conflicts or inconsistencies, such as using characters that may confuse the query syntax, space, for example, or reserved words. If you know and organize the names of things well, it does not help much.

In some cases you can help with security and avoid SQL injection but do not rely on this to solve this problem. This measure can be bypassed. This feature was not invented to resolve security issues.

It is good to know that this form is not available in all databases. If you need to use query for another, you may have problems. But if you need this feature, you probably have several others.

    
08.08.2015 / 20:36
9

Regarding security, no, backticks has no security implications.

backticks is used if you use some MySQL reserved word or when you have space.

The first example of the link goes straight to the point:

mysql> CREATE TABLE interval (begin INT, end INT);
ERROR 1064 (42000): You have an error in your SQL syntax ...
near 'interval (begin INT, end INT)'

mysql> CREATE TABLE 'interval' (begin INT, end INT);
Query OK, 0 rows affected (0.01 sec)
    
08.08.2015 / 20:42