The user input is like this
$user_input = htmlspecialchars($_GET['$user_input']);
According to PHP.net:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
But what about $? For example the code is like this:
echo "Some cool text $user_input";
Now lets say user input is $secretCode so:$_GET['$user_input'] = "$secretCode";
Will the code then not echo the $secretCode?
Also what about this. Lets assume the code is like this:
$html = <<<EOF <head>.... EOF;
What if the input is $_GET['$user_input'] = "EOF;"; Won't this quit the string?
You're assuming a level interpretation that doesn't exist. If you write string literals like this:
$foo = 'bar';
$baz = "Hello $foo";
Then yes, $foo will be interpolated into the string. That is because it is explicitly written as a string literal in PHP source code.
On the other hand:
$foo = 'bar';
$baz = $_GET['var'];
Under no circumstances whatsoever will anything be interpolated here. Nor here:
$foo = <<<EOL
$_GET[var]
EOL;
$_GET['var'] can contain whatever it wants to, it is of no concern. PHP does not recursively evaluate all values over and over to see if there may be something that can be interpolated. There is no security issue here.
To provoke any of this recursive behaviour, you'd have to explicitly construct PHP source code as a string and then explicitly evaluate it:
$code = <<<EOL
$foo = 'bar';
echo "Hello $_GET[var]";
EOL;
// $code is now, say:
// $foo = 'bar';
// echo "Hello $foo";
eval($code);
Unless you do something like this (and please, never use eval), nothing will happen.
For embedding arbitrary text inside of HTML, htmlspecialchars is fine to escape characters which have a special meaning in HTML; yes, it's secure.
php will not parse variables inside variables itself, because the variable is not clearly written in your php code, php dont parse variables at this level. so with this in mind the following examples will fail and will output some text and $bar and not some text and test
$_GET['foo'] = '$bar';
$baz = $_GET['foo'];
$bar = 'test';
echo "some text and $baz";
// some text and $bar
Constant strings in your PHP code will be parsed like that, but strings that come from another source are not.
So in the line below, the variable $world will be expanded:
$var = "Hello $world";
In the line below, the exact value is used as it is read from (probably) a database. Even if the field 'example' world contain the text 'Hello $world', the variable $world would not be expanded.
$var = $row['example'];
This is normal PHP behaviour and is not related per se to htmlspecialchars.
Related
I ran into a block of code that executes print with double quotes around the argument. The argument contained a variable that was seemingly escaped by a dollar sign. Is that how a variable is called inside double quotes in php?
print("$$owed");
Here's the full block from the source:
<html>
<head>
<title>Loans</title>
</head>
<body>
<?php
$interest_rate = .14;
function YouOweMe($cost, $interest_rate) {
$weekly_payment = ($cost*$interest_rate);
print "You better pay me $$weekly_payment every week, or else!";
}
<font color="#000000">YouOweMe($cost, $interest_rate);
?>
</body>
</html>
I had to strip the numbers. So annoying.
Anyway, ... What doesn't make sense to me is that $$owed is supposed to, what? Create a new variable from a separate variable that contains a string 'owed'? That doesn't seem practical in any situation. Isn't $$owed just to get a dollar sign before the amount?
Here is an example to understand variable variables :
<?php
$var = "test";
$test = "hey !";
echo "$$var"; //$test
echo "${$var}"; //hey !
echo '$$var'; //$$var
?>
Edited according to comments.
In PHP, a variable is escaped with $ when inside a string defined with double quotes. This does NOT work with single quotes.
$string = "world";
echo "Hello ${string}";
#### outputs "Hello World"
That is how you put a variable into a string (you need the double quotes).
What you have is variable-variable. You can call a variable $foo by using a string with foo in it.
$string = 'foo';
$foo = 'hello world';
echo "I say, ${$string}";
Would output "hello world.
There are a couple of ways to use variables inside double quotes, some common ways are
print("$owed") will print the value of $owed
print("$$owed") is called a "variable variable" (as linked previously)
$owed = "test";
$test = 16;
print("$$owed");
will print out "$test".
Another use of this comes in the form of print("${$owed}"), which takes the value of $test and uses it as the variable name.
I strongly advise you to use single quotes and concatenate the variables needed, as it saves the time for evaluating variables in out, e.g.:
$owed = 42;
print('The value is: ' . $owed);
lg,
flo
Are these 2 two "spellings" equivalent? Just wondering.
${var} out of context could be either correct or not. If it is used inside of the string like "foo ${var} bar" - then it is the same.
If it is used right in the code - then ${var} is incorrect, and ${'var'} should be used instead.
The valid cases for using ${...} are:
Inside the string in cases like "ab${cd}e" - when all the letters go without spaces, "${a['b']}" - when you use it with arrays
When you want to assemble the variable name dynamically: ${'a_' . $i}
Pretty much. The only difference is that you can enter code to be parsed in between the curly braces to get "variable" variable names.
Ex.
${'t'.'e'.'s'.'t'} = 'test'; // is the same as $test = 'test';
${substr('testaaa',0,4)} = 'test'; // the same
You can even do something like:
${ 'a' == 'b' ? 'Foo' : 'test' } = 'test'; //the same
It is essentially the same as:
$var_name = substr('testaaa',0,4);
$$var_name = 'test';
I'm a bit confuse with
$hello = "hello";
echo "Say $hello";
echo "Say {$hello}";
echo "Say ${hello}";
and the output is same Say hello. When should I use {$hello} and ${hello}? and why it cannot be used in single quote?
$animal = 'cat';
echo "I have 14 $animals";
This may lead to problems, thus you will "escape" it
echo "I have 14 ${animal}s";
or
echo "I have 14 {$animal}s";
In single caused variables/expression were never substituted.
Single quoted string will never expand variables in PHP. See:
http://php.net/manual/en/language.types.string.php
for more detail of the string formats in PHP. There are 4 in total (including nowdoc introduced in PHP 5.3). Only double quoted and heredoc string formats cause variables to be expanded.
According to http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing ,
this is a simple syntax:
echo "Say ${hello}";
and this is a curly syntax:
echo "Say {$hello}";
Why does them both output the same? Becaus in PHP you can use variable variables in every place you want. For example:
$var = 'somevar';
$bar = 'var';
echo $$bar; // "somevar", simple variable variable
echo ${$bar}; // "somevar", complex syntax
echo ${bar}; // "var", because {bar} treated as a string constant:
// Notice: Use of undefined constant bar - assumed 'bar'
So, using variable variables syntax ${hello} simply translated to $hello.
I would like to know when and why should I use {$var}
echo "This is a test using {$var}";
and when (and why) should I use the simple form $var
echo "This is a test using $var";
You would use the latter when a) not accessing an object or array for the value, and b) no characters follow the variable name that could possibly be interpreted as part of it.
http://php.net/manual/en/language.variables.variable.php
In order to use variable variables with arrays, you have to resolve an
ambiguity problem. That is, if you
write $$a[1] then the parser needs to
know if you meant to use $a[1] as a
variable, or if you wanted $$a as the
variable and then the [1] index from
that variable. The syntax for
resolving this ambiguity is: ${$a[1]}
for the first case and ${$a}[1] for
the second.
The brackets allow you to remove ambiguity for the PHP parser in some special cases.
In your case, they are equivalent.
But consider this one:
$foobar = 'hello';
$foo = 'foo';
echo "${$foo . 'bar'}"; // hello
Without the brackets, you will not get the expected result:
echo "$$foo . 'bar'"; // $foo . 'bar'
For clarity purposes, I would however strongly advise against this syntax.
If you write
echo "This is a test using $vars"
You do not get content of $var in result text.
If you write
echo "This is a test using {$var}s";
Everything will be OK.
P.S. It works only with "" but not for ''.
The {} notation is also useful for embedding multi-dimensional arrays in strings.
e.g.
$array[1][2] = "square";
$text = "This $array[1][2] has two dimensions";
will be parsed as
$text = "This " . $array[1] . "[2] has two dimensions";
and you'll end up with the text
This Array[2] has two dimensions
But if you do
$text = "This {$array[1][2]} has two dimensions";
you end up with the expected
This square has two dimensions.
Very basic, but would like to know the difference/security ramifications etc of using " vs. '.
Can someone provide an example that explains when to use each one?
There are a lot of subtle differences, you'll want to read the php documentation to get a lot of the details, but the important detail are:
Double quotes are parsed whereas single quotes are literals.
You can use variables inline with double quotes, but not with single quotes.
There are some catches though:
<?php
$beer = 'Heineken';
echo "$beer's taste is great"; // works; "'" is an invalid character for variable names
echo "He drank some $beers"; // won't work; 's' is a valid character for variable names but the variable is "$beer"
echo "He drank some ${beer}s"; // works
echo "He drank some {$beer}s"; // works
?>
Single quotes are slightly faster.
When a string is enclosed in double quotes, then escape sequences such as \n and variable identifiers such as $var are interpreted.
See the PHP strings manual for specific details and examples.
The biggest one is this. Inside double-quotes, you can include variables, but inside single quotes, the variable name will be literal:
$var1 = "hello";
// this will echo "hello world"
echo "$var1 world";
// this will echo $var1 world
echo '$var1 world';
Using double-quotes becomes extremely useful in a number of situations, expecially when you place {} around the variable names. Here are some examples (certainly others can give you more examples):
// array elements
echo "Element 5 is {$myArray[5]}";
echo "Element 2 subelement 3 is {$myArray[2][3]}";
//
// a dynamic key
$value = "thing";
$someValue = $myArray["some{$value}"]; // returnd $myArray[something]