I just happened to see the following way to compose a parameterized SQL query:
function select_user($uid)
{
// what is '<<<'?
// I can't google any document about it
// (or I don't know how to search symbol)
$sqlStr = <<< SQL_STR
SELECT * FROM user WHERE uid = ?
SQL_STR; // must put in the begin of the line
// and it must match the word at the right hand side of '= <<<'
// Code Igniter Database Class
return $this->db->query($sqlStr, array($uid));
}
To rephrase my questions in here:
What the symbol '<<<' does?
My colleague said that 'SQL_STR' must be matched, why?
A Heredoc is used to define a string, usually because of the benefit of not having to escape quotes throughout the string, unlike a string literal.
From the Manual:
Heredoc text behaves just like a double-quoted string, without the double quotes. This means that quotes in a heredoc do not need to be escaped, but the escape codes listed above can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.
$str = <<<EOD
Example of string
spanning multiple lines
using heredoc syntax.
EOD;
What your looking for is called heredoc.
For what it's worth, the SQL query is irrelevant to the string assignment:
$html = <<<HTML
Imagine some HTML here with interspersed $variables
HTML;
It's of course not limited to HTML either. It has quite a few useful properties for large blocks of text. Namely, you can interpolate variables into it in a pleasant manner, and you don't have to escape single or double quotes. (According to the manual: "Heredoc text behaves just like a double-quoted string, without the double quotes.")
Related
Normally, when variables in PHP are enclosed in single quotes, they are treated as strings, i.e
echo '$variable';
will actually echo the word $variable onto the screen.
So why is it then that this string is parsed:
echo "'$variable'";
That code actually does echo the value of the variable. Why is that? It's still inside single quotes, so why does it still get parsed?
The string is wrapped in double quotes -- the single quotes are part of the content of the string, not part of the string's delimiter. Therefore the single quotes have no semantic meaning whatsoever.
Your question indicates that you may have a fundamental misunderstanding of strings. This is OK! Strings are surprisingly complex entities, and will only get more complex if you learn lower level languages like C. I would suggest you spend some time reading up on strings both in general as well as within PHP. A few quick google searches will honestly be better than a curated list for this task.
Because the single quotes are inside double quotes. Anything inside double quotes gets evaluated. So, your echo statement is passed a string inside double quotes.
This string is evaluated then output. It contains single quotes and a variable.
Try this instead:
<?php
$var = 10;
echo '"$var"';
?>
Because it's in double-quotes as well. The outer most layer of quotes denotes what kind of string it is.
It is simply a double quoted string that contains two single quote characters. Once they are in the double quotes, they have no meaning to the parser.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
PHP <<<EOB
I saw this below piece of code in one php file , can some one explain what <<< st means.?
$status['caption']=<<<ST
ST;
P.s : I really cant google it , trust me :D
This is referred to as a heredoc string.
That is a way to store multiline strings. (Called Heredoc Syntax)
$string = <<<IDENTIFIER
IDENTIFIER;
All the lines in between are stored as string. Used for long walls of text.
It is described here.
It is called the Heredoc syntax:
http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
It can be helpful for multiline strings and strings containing both double and single quotes.
As double quotes Heredoc interprets many escape sequences for special characters.
The <<< operator stands for the heredoc syntax. It's a way to write strings in a natural way.
http://php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
That's a heredoc string ("text block").
Everything between <<<ST and ST; will be output as it is written. So you could put some HTML you want to output and save a bunch of print() statements or save your self the work of escaping characters like you would with a $variable = " textity text text text"; command.
From php website : Heredoc text behaves just like a double-quoted string, without the double quotes. This means that quotes in a heredoc do not need to be escaped, but the escape codes listed above can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.
I am getting a lot of errors lately on a Joomla project and have found things like (in class code)...
return "<span class='...
or
echo "<h3 id='...
instead of
return "<span class=\"...
echo "<h3 id=\"...
This includes many times a variable in quotes, but it still finds it's way to my browser with single quotes. Before going through and changing these, I wanted to see what others have to say. My project is at http://dev.thediabetesnetwork.com.
I have looked this up and find a lot of conflicting information, so figured I would revive the discussion for the newest PHP/browser configurations and see if I am overlooking other details.
It's a lot easier to read without all the double quotes inside the string being escaped with \.
If you need to output a variable inside a string expression, double quotes must be used. If you are outputting HTML inside double-quotes, you can either use ' or \" to enclose HTML attributes. The first is preferred because it results in cleaner PHP code.
If you don't want your HTML to use single quotes, then you can just escape all of your quotes, use heredoc syntax, or concatenate your variables into the string like:
echo '<div class="test">' . $var . '</div>';
Browser accept both, thus there is no deeper reason to choose one before the other. From the PHP point-of-view it is slightly more readable with single quotes, because you can wrap strings in double quotes and use variable substition. Compare yourself
"<a href='$url'>Foo</a>"
"Foo"
'Foo'
Another solution is to substitute the content manually, for example
sprintf('Foo', $url);
Or heredoc
echo <<<HTML
Foo
HTML;
I would choose the one, that fits best into the current context (regarding the readability).
Double quote and single quotes have different functionality in php.
You can put a variable or even array into a string with double quotes but not so with single quotes.
Both are acceptable in HTML specification. Indeed even no quotes is if there's not spaces. Most people prefer that I know to have double quotes for the php so you can use variables without breaking up your code and readability because no backslashes.
return "<span class='foo'>$foo</span>";
return "<span class=\"foo\">$foo</span>";
return '<span class="foo">'.$foo.'</span>';
return '<span class=\'foo\'>'.$foo.'</span>';
All work but the first one, to most, is the easiest to read and type.
You can read all about php strings, double quotes, single quotes, heredoc and nowdoc syntax in php's documentation here: http://php.net/manual/en/language.types.string.php
echo <<<EOT
My name is "$name". I am printing some $foo->foo.
Now, I am printing some {$foo->bar[1]}.
This should print a capital 'A': \x41
EOT;
Is example Heredoc syntax which allows you to pick your starting and ending delimeters for long multiline strings. Nowdoc is the same as heredoc but like single quotes, you can't put variables into the string.
You don't need to use double quotes if the string doesn't need evaluating (e.g. if it contains variables, etc). In fact, because double quotes causes the string to be evaluated, they're less efficient than using single quotes and concatenating.
Furthermore, it's convention to use double quotes inside HTML tags, so this is how I'd do it:
return '<span class="test">' . $var . '</span>';
In my opinion, Joomla is very poorly coded, and what you've posted is just another example of this.
Another advantage to this method, as you can see above, is that code highlighters and IEDs make it easy to differentiate between "static" strings and variables.
As a newbie, I have been advised to preferably use heredoc compared to too many nested codes (see Unexpected T_ELSE in php code).
But I can't manage to understand if there is a significant difference between heredoc and nowdoc.
What would be the advantages for heredoc and nowdoc compared to the other one that would be important for a newbie to understand (i.e. not very minor advantages but important to understand for me).
Nowdocs are to single-quoted strings what heredocs are to double-quoted strings. A nowdoc is specified similarly to a heredoc, but no parsing is done inside a nowdoc. The construct is ideal for embedding PHP code or other large blocks of text without the need for escaping.
http://php.net/manual/en/language.types.string.php#language.types.string.syntax.nowdoc
In other words:
$foo = 'bar';
$here = <<<HERE
I'm here, $foo !
HERE;
$now = <<<'NOW'
I'm now, $foo !
NOW;
$here is "I'm here, bar !", while $now is "I'm now, $foo !".
If you don't need variable interpolation but need special characters like $ inside your string, Nowdocs are easier to use. That's all.
heredocs
1. heredocs text behaves just like a double-quoted string, without the double quotes.
2. Quotes in a heredoc do not need to be escaped, but the escape codes \n linefeed,
\r carriage return,
\t horizontal tab, \v vertical tab, \e escape, \f form feed, \ backslash,\$ dollar sign,\" double-quote can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.
Example :
$myname='Tikku';
$heredoc_exmaple= <<<HEREDOC
\\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
HEREDOC;
echo $heredoc_exmaple;
//OUTPUT \n ,\r , , ,\v ,\e , ,\ , \ ,$89 ,$ , Tikku , ' , $myname , \" ,\'
nowdocs
1. nowdocs text behaves just like a single-quoted string, without the single quotes.
2. Quotes in a nowdocs do not need to be escaped.Variables are not expanded in it.Advantage of nowdocs is embedding PHP code and escape codes without the need for escaping.
Example :
$myname='Tikku';
$nowdoc_exmaple= <<<'NOWDOC'
\\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
NOWDOC;
echo $nowdoc_exmaple;
//OUTPUT \\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
Syntax: A nowdoc is identified with the same <<< sequence used for heredocs, but the identifier which follows is enclosed in single quotes, e.g. <<<'NOWDOC'. All the rules for heredoc identifiers also apply to nowdoc identifiers, especially those regarding the appearance of the closing identifier.
Nowdoc is great when you don't want to deal with quoting and unquoting complex strings, since it won't interpret any quotes and it won't accept variables. As such, it's well suited to manually displaying actual code snippets!
However, if you're using a mix of heredocs and nowdocs for blocks of string content, which is an easy temptation to fall into, you could easily run into XSS (cross site scripting) problems where-ever you use heredoc! As such, this approach is just not clean enough for me to recommend to a developer starting out in php! Instead, you should be trying to use templates (of whatever kind, or whatever template engine you like), for these large blocks of information. After all, you don't want html in your php, and you -certainly- don't want user-injected javascript, like:
$username = '<script>alert(document.cookie.toString())</script>';
$insecure_example = <<<HERE
I really like having my site exploited, $username
HERE;
So don't use HEREDOCS and NOWDOCS in the place of a proper templating approach or a templating engine.
Where-ever there is an interface between languages or technologies, you have to encode. php to sql? bind. php to html? encode. http to php?
Heredoc is 1000 times faster than "text", echo 'text' and nowdoc.
Sql1 with echo = 0.00011205673217773
sql2 with heredoc = 9.7751617431641E-6
Result = Sql1 Is 1046.3414634146% slow.
I am trying to test some of these code here http://ha.ckers.org/xss.html on my code. To do so I need to set the codes on that page into a PHP variable, I am having trouble though.
For example this code below is incorrect just for setting it to a variable because of the "code" and 'code' the '" is what I am talking about. How can I set code from that page or below into a PHP variable for testing?
$string = '<IMG SRC=\"javascript:alert('XSS');\"><b>hello</b> hiii';
You need to escape the quotes you used to declare the string with. So in your case the single quotes:
'<IMG SRC="javascript:alert(\'XSS\');"><b>hello</b> hiii'
Otherwise the string would be aborted with that unescaped quote.
Another way, maybe a bit easier (you don't have to escape the quotes, nor double-quotes) would be to use Heredoc syntax :
$string = <<<STR_1
<IMG SRC="javascript:alert('XSS');"><b>hello</b> hiii
STR_1;
Note you'll still have to escape the $ sign, if you have some, to not have varible interpolation.
Quoting the manual :
Heredoc text behaves just like a
double-quoted string, without the
double quotes. This means that quotes
in a heredoc do not need to be
escaped, but the escape codes listed
above can still be used. Variables are
expanded, but the same care must be
taken when expressing complex
variables inside a heredoc as with
strings.
Note : read the manual about that : there are some things you must know before using heredoc syntax (like the fact that the closing identifier must be alone on its line)