how can I include a variable inside double quotes

Navigation
2
$articulos= $conexion->prepare(
          'SELECT SQL_CALC_ROWS * FROM  articulos LIMIT $inicio, $postPorPaginas'
);

When it's like this inside php, it appears to me as if it were a simple string although I have declared the varible with its values

    
asked by Daniel Patricio 23.01.2018 в 20:13
source

5 answers

11

That "prepare" that you have put in your code makes me think that you are using PDO:

Therefore the advisable thing would be the following: 

$articulos= $conexion->prepare("SELECT SQL_CALC_ROWS * FROM articulos LIMIT :inicio, :post_por_paginas");

$articulos->bindParam(':inicio', $inicio);
$articulos->bindParam(':post_por_paginas', $postPorPaginas);

$articulos->execute();

This way you are also avoiding SQL injection

In case you are not using PDO, I would recommend you to take a look here

    
answered by 23.01.2018 / 20:27
source
2

To add variables in character strings in PHP there are different ways as indicated in the PHP documentation.

Documentation PHP character strings

For the example I use the form Complex Syntax (Keys) that is based on chains enclosed by " (double quotes) and enclosing the variable in {} keys: 

<?php

$inicio = 1;
$postPorPaginas = 10;

$articulos = $conexion->prepare("SELECT SQL_CALC_ROWS * FROM articulos LIMIT {$inicio}, {$postPorPaginas}");

This way, the text editor or IDE will correctly display the variables within the character string.

    
answered by 23.01.2018 в 20:34
2

It is correct what he says @ LeonardeCabré in his answer.

If you are using PDO (or MySQLi), all queries that handle external variables must pass them through queries prepared to avoid the injection of malicious code.

I just want to point out that with PDO you can simplify the code, saving the bindParam and passing the parameters as an array, in execute .

The PHP Manual talks about that second possibility, which, I think, we exploit very little:

  

execute

     

Execute the prepared statement. If it included markers of   parameters, you should:

     

  • call PDOStatement::bindParam() and / or PDOStatement::bindValue() to link variables or values   (respectively) to the parameter markers. Variables   linked pass their value as input and receive the output value,   if any, of their associated parameter markers

    •   

  • or pass an array of input-only parameter values

    •   

❯ Source: execute in the PHP Manual

Let's see two examples:

With :nombre markers 

$strSQL='SELECT SQL_CALC_ROWS * FROM  articulos LIMIT :inicio, :postPorPaginas';
$articulos= $conexion->prepare($strSQL);
$arrParams=array(':inicio'=>$inicio, ':postPorPaginas'=>$postPorPaginas);
$articulos->execute($arrParams);

With placeholders ? 

$strSQL='SELECT SQL_CALC_ROWS * FROM  articulos LIMIT ?, ?';
$articulos= $conexion->prepare($strSQL);
$arrParams=array($inicio, $postPorPaginas);
$articulos->execute($arrParams);

Knowing this is particularly useful, when we have to pass many parameters, or when the parameters that intervene in the query are dynamic. It will avoid us constantly invoking bindParam , it will facilitate the process of building a query that depends on several factors. The query executed thus is equally safe that when we use bindParam .

    
answered by 24.01.2018 в 00:32
0

Try replacing the single quotes with double quotes for PHP to interpret the variables and use single quotes to enclose each of the variables in the query.

    
answered by 23.01.2018 в 20:16
0
$query = "SELECT SQL_CALC_ROWS * FROM articulos LIMIT ".$inicio.", ".$postPorPaginas;
$articulos = $conexion->prepare($query);

I think this is the right thing to do, if you use single quotes, just change them so I put you in double quotes. I hope it helps you.

    
answered by 23.01.2018 в 20:19
SQL Check between date range - but a date may be NULL compare a chain of javascript