1

Suppose I have a query

SELECT * FROM table WHERE x > y;

where "y" is a user-input value. I'd like to enclose y in quotes. So far as I've tested, the query works properly when the quotes are added. Is the behaviour defined? Is it known to result in an efficiency drop?

Note that the query is an example fabricated for simplicity. Also, this is not an attempt to deal with SQL injection.

Improve this question
9
  • What is your actual question here? Commented Dec 7, 2011 at 6:23
  • Is the behaviour defined, and is it known to result in an efficiency drop? Commented Dec 7, 2011 at 6:27
  • Enclosing values in quotes isn't what protects against injection. Commented Dec 7, 2011 at 6:28
  • As I mentioned, I'm not trying to protect against injection. It was just a simple way to frame the question. Commented Dec 7, 2011 at 6:33
  • Why did you mention injection at all? Commented Dec 7, 2011 at 11:53

3 Answers 3

Reset to default
3

If the field that you are trying to compare with is a numeric field ie int, then all the possible combinations must work in mysql

select * from users where id = 20;

select * from users where id = "20";

select * from users where id = '20';

Refer the MySQL DOC for more depth

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The conversion behavior of MySQL when comparing different types is well-defined. When a string and a number are compared, both are converted to floats. It's outlined in the manual, § 11.2.

Improve this answer

Comments

-1

IMO, you can try :-

cast( "-10" as signed )

This is casting in mysql (the function name is cast, obvious?).

Improve this answer

7 Comments

-2 is fine, but I really eager to know what's wrong with the above?
There are a couple of drive-by downvotes for this question. If I had to guess, it's because this answer doesn't address the questions. Specifically, Wyatt was asking whether the behavior he was seeing was specified anywhere, rather than how he could ensure a value was of a certain type. Or perhaps the cast isn't necessary, since comparing a number with a string will result in a floating point comparison.
well, if the down-voters is really reading the docs, he will be surprise the quoting a variable is no diff from casting, and the proper casting to the column type is the measurement for this question. sorry, for being arrogant, this is how i see the natural of casting does.
I don't see it as arrogant. Not sure what you mean by "measurement for this question".
define in this docs (dev.mysql.com/doc/refman/5.1/en/type-conversion.html), numerous mention casting is the proper solution instead of quote the string (of course in that doc, there are more examples and indepth explanation)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.