[Phpmyadmin-devel] backquotes in SQL query

Hi, I noticed Piotr removed back quotes from a few fields in an SQL query. They were fixed strings (no variables), so they don't really need escaping, but I was under the impression that it is good practice to add back quotes to every field/table/database name in a SQL query, not only the dynamic ones? -- Kind regards, Dieter Adriaenssens

Hi Dne Tue, 16 Aug 2011 10:49:02 +0200 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
I noticed Piotr removed back quotes from a few fields in an SQL query. They were fixed strings (no variables), so they don't really need escaping, but I was under the impression that it is good practice to add back quotes to every field/table/database name in a SQL query, not only the dynamic ones?
It is usually good practice to avoid problems in case future MySQL versions will introduce new keywords. -- Michal Čihař | http://cihar.com | http://phpmyadmin.cz

2011/8/16 Michal Čihař <michal@cihar.com>:
Hi
Dne Tue, 16 Aug 2011 10:49:02 +0200 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
I noticed Piotr removed back quotes from a few fields in an SQL query. They were fixed strings (no variables), so they don't really need escaping, but I was under the impression that it is good practice to add back quotes to every field/table/database name in a SQL query, not only the dynamic ones?
It is usually good practice to avoid problems in case future MySQL versions will introduce new keywords.
I removed backquotes which were added by passing literal strings to PMA_backquote, as it only made reading code more difficult, and removed one case of passing aggregate SQL expression in ORDER BY clause to it. Personally, I use them only when necessary as shorter queries are more readable to me. If we want to use backquotes, their usage should be consistent. -- Piotr Przybylski

Hi, I'm in favor of using backquotes consistently for all field/table/database names. If we're doing it for dynamic ones, why not for literal strings. (it makes the query look messy when they are mixed) I don't agree that omitting the back quotes makes the query shorter and hence better readable. A few back-ticks (2 per fieldname) will not make your query very much longer. Upside of having the back ticks is better visual way of distinguishing field names from values or keywords (which should be in capitals in my opinion, also for better readability). But I think he meant that having a query full of PMA_backquote() makes it more difficult to read, not really the presence of back ticks. ;) I think SQL purists dislike more things about the (My)SQL dialect. ;) But this is the way MySQL puts it forward (doing a mysqldump adds backticks to field/table/database names), and so far phpMyAdmin is a project that serves as a front end for MySQL (and derivatives). My few cents. Kind regards, Dieter 2011/8/16 Piotr Przybylski <piotr.prz@gmail.com>:
2011/8/16 Michal Čihař <michal@cihar.com>:
Hi
Dne Tue, 16 Aug 2011 10:49:02 +0200 Dieter Adriaenssens <dieter.adriaenssens@gmail.com> napsal(a):
I noticed Piotr removed back quotes from a few fields in an SQL query. They were fixed strings (no variables), so they don't really need escaping, but I was under the impression that it is good practice to add back quotes to every field/table/database name in a SQL query, not only the dynamic ones?
It is usually good practice to avoid problems in case future MySQL versions will introduce new keywords.
I removed backquotes which were added by passing literal strings to PMA_backquote, as it only made reading code more difficult, and removed one case of passing aggregate SQL expression in ORDER BY clause to it. Personally, I use them only when necessary as shorter queries are more readable to me. If we want to use backquotes, their usage should be consistent.
-- Piotr Przybylski
------------------------------------------------------------------------------ uberSVN's rich system and user administration capabilities and model configuration take the hassle out of deploying and managing Subversion and the tools developers use with it. Learn more about uberSVN and get a free download at: http://p.sf.net/sfu/wandisco-dev2dev _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-- Groetjes, Dieter Adriaenssens

Le 2011-08-16 04:49, Dieter Adriaenssens a écrit :
Hi,
I noticed Piotr removed back quotes from a few fields in an SQL query. They were fixed strings (no variables), so they don't really need escaping, but I was under the impression that it is good practice to add back quotes to every field/table/database name in a SQL query, not only the dynamic ones?
I haven't seen any recommendation stating that this is a good practice. After all, - backquotes is only an escaping mechanism (introduced by MySQL) so phpMyAdmin should add them in all dynamic cases - SQL purists hate these backquotes -- Marc Delisle http://infomarc.info
participants (4)
-
Dieter Adriaenssens
-
Marc Delisle
-
Michal Čihař
-
Piotr Przybylski