A bit of searching on the internet told me that, in MySQL, single quotes are used to indicate the beginning and end of a string and double quotes generally aren't used. My question is: Is using double quotes for indicating the beginning and end of a string harmful or does it make the execution of the query slower?
It's not recommended, but it's not harmful. It will lead to messy code, though, and you might have to consider how you wrap the whole query (single or double quotes) as well, since you cannot use double quotes to wrap a variable if you wrap the entire query with double quotes. Use single quotes. Plain and simple. Or, better, use prepared statements, which means you don't have to use quotes at all.
Thank you. The reason I want to know whether it is harmful or not is because I prefer wrapping whole MySQL query in single quotes for faster PHP execution and I also want to keep my query codes as clean as possible. If using double quotes for indicating string is not harmful, I can simply write my query codes like this: mysqli_query($conn, 'SELECT * FROM `mytable` WHERE `full_name` = "' . $full_name . '"'); PHP: But if using double quotes for indicating string is harmful, I would have to use single quotes for indicating strings instead and add back slash like the following line. And when the number of variables increase, the codes become more messy. mysqli_query($conn, 'SELECT * FROM `mytable` WHERE `full_name` = \'' . $full_name . '\''); PHP: Since you said it's not harmful, I guess I will go ahead and use it.
The difference in execution speed for an instance like this is negligible. You could just as well do this for easier readability and it shouldn't affect the execution speed. mysqli_query($conn, "SELECT * FROM `mytable` WHERE `full_name` = '" . $full_name . "'"); PHP: Also, not that it was brought up, but make sure you're sanitizing your $full_name variable or any other user provided data if you aren't going to use prepared statements or something like PDO.
Okay, lets go through this again... the CONCATING of strings, is what is gonna affect speed (even though even that is minimal). Not the quotes you decide to use. Regardless, using variables in a query directly is frowned upon in modern web development, and is the reason why we have prepared queries. So, for your query (disregarding the obvious potential risk of using variables directly in a query), THIS will be the fastest method: mysqli_query($conn, "SELECT * FROM `mytable` WHERE `full_name` = '$full_name'"); PHP:
But doesn't PHP have to spend extra time to figure out if there are variables inside double quotes when it is parsing the code inside double quotes? I have been under the impression that, theoretically, using single quotes + concatenation is supposed to be faster than using only double quotes because of the aforementioned reason.
Concatenating the variables inside a query gives no benefits, really, and might lead to unwanted results if the variables used is returned from functions, for instance. Hence why the simplest way is most often the best way (when it comes to queries). Again, however, you should really try to get it to work with prepared statements. There are plenty of benefits to that approach, and next to no issues, and it will make your code better; both more future-proof, and more mature. I would recommend PDO before mysqli_ (since I'm more used to PDO, but also because the whole syntax is simpler and less roundabout than mysqli_).
I see. I would definitely use prepared statements when I have to repeat the same query with different parameters. In my current case, I only need to execute one or two queries.
Well, yes, that is one of the benefits, but the main benefit is the (mostly) elimination of SQL injection attack vectors. Again, as long as your variables doesn't contain any user-generated content, you should be fine either way.