Why do this.. $fruit_type = banana; mysql_real_escape_string($fruit_type); $query = SELECT * FROM posts WHERE

Question

0

Asked: May 18, 20262026-05-18T08:23:20+00:00 2026-05-18T08:23:20+00:00

Why do this.. $fruit_type = banana; mysql_real_escape_string($fruit_type); $query = SELECT * FROM posts WHERE

0

Why do this..

$fruit_type = "banana";
mysql_real_escape_string($fruit_type);

$query = "SELECT * FROM posts WHERE fruit = " . $fruit_type . ";

when you can do this..

$fruit_type = "banana";
mysql_real_escape_string($fruit_type);

$query = "SELECT * FROM posts WHERE fruit = $fruit_type;

I know that integers should be encapsulated in single quotes but is it fine to add a variable that contains a string directly?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-18T08:23:21+00:00

Adding a string directly, without quotes (and escaped quotes within the value) will not work if that is your question.

The following will work with integers, provided you are matching on an number field, but it will not work with strings:

$query = "SELECT * FROM posts WHERE fruit = $fruit_type";

To match strings, you must enclose them within single quotes, and escape single quotes occurring within the value. The following will not escape quotes contained within the passed variable:

$query = "SELECT * FROM posts WHERE fruit = '$fruit_type'";

At the very least, you should do this:

$query = "SELECT * FROM posts WHERE fruit = " . mysql_real_escape_string($fruit_type);

And at the first opportunity, read about these:

http://php.net/manual/en/pdo.prepared-statements.php

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Why do this.. $fruit_type = banana; mysql_real_escape_string($fruit_type); $query = SELECT * FROM posts WHERE

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply