This question already has answers here:
Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
(24 answers)
Closed 8 years ago.
I am very new to PHP and HTML, and I came across some code that has a \" where a select name is defined.
<select name=\"table\" ...
My question is: what is that doing?
Thank you.
It's an escape character. It's used to ensure that the next character is not treated as code, but as part of the string.
In this case, it means that the " is part of the string, and doesn't signify the end of the string within the code.
For example, if I want to put this inside of a string...
He said "shut up"...
I'd write something like this...
$str = "He said \"shut up\"...";
The backslash can also be used for special "sequences", which insert special characters. For example, if I want to insert a newline into the string, I'd use the \n escape sequence. Or, if I want a full CRLF, I'd use \r\n to insert both the carriage return (\r) and the line feed (\n) together. There are many escape sequences, most of which are described here, in the PHP documentation.
It escapes the double quote. Consider this:
echo "Hello world, John said "Hello world!"";
This would not evaluate, because John's quotewould get processed by PHP as syntax, so you use the escape character \ to skip it:
echo "Hello world, John said \"Hello world!\"";
This is only applicable to double quotes, but would also be used for single quotes in the same way:
echo 'John said \'Hello!\'';
... but this would be fine:
echo "John said 'Hello'";
The \ is used as an escape character in many programming langauges, such as PHP, Java, and C#. The escape character allows the usage of special characters, such as " and various special "values" such as \n for a new line.
Here is a reference to Escape sequences in PHP for further reference
The \ is an escape character. In your example, you are outputting HTML, and need to include the quotes, so you use the \ to ignore the quotes and thus create an HTML statement that looks like <select="table"...
I just happened to see the following way to compose a parameterized SQL query:
function select_user($uid)
{
// what is '<<<'?
// I can't google any document about it
// (or I don't know how to search symbol)
$sqlStr = <<< SQL_STR
SELECT * FROM user WHERE uid = ?
SQL_STR; // must put in the begin of the line
// and it must match the word at the right hand side of '= <<<'
// Code Igniter Database Class
return $this->db->query($sqlStr, array($uid));
}
To rephrase my questions in here:
What the symbol '<<<' does?
My colleague said that 'SQL_STR' must be matched, why?
A Heredoc is used to define a string, usually because of the benefit of not having to escape quotes throughout the string, unlike a string literal.
From the Manual:
Heredoc text behaves just like a double-quoted string, without the double quotes. This means that quotes in a heredoc do not need to be escaped, but the escape codes listed above can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.
$str = <<<EOD
Example of string
spanning multiple lines
using heredoc syntax.
EOD;
What your looking for is called heredoc.
For what it's worth, the SQL query is irrelevant to the string assignment:
$html = <<<HTML
Imagine some HTML here with interspersed $variables
HTML;
It's of course not limited to HTML either. It has quite a few useful properties for large blocks of text. Namely, you can interpolate variables into it in a pleasant manner, and you don't have to escape single or double quotes. (According to the manual: "Heredoc text behaves just like a double-quoted string, without the double quotes.")
As a newbie, I have been advised to preferably use heredoc compared to too many nested codes (see Unexpected T_ELSE in php code).
But I can't manage to understand if there is a significant difference between heredoc and nowdoc.
What would be the advantages for heredoc and nowdoc compared to the other one that would be important for a newbie to understand (i.e. not very minor advantages but important to understand for me).
Nowdocs are to single-quoted strings what heredocs are to double-quoted strings. A nowdoc is specified similarly to a heredoc, but no parsing is done inside a nowdoc. The construct is ideal for embedding PHP code or other large blocks of text without the need for escaping.
http://php.net/manual/en/language.types.string.php#language.types.string.syntax.nowdoc
In other words:
$foo = 'bar';
$here = <<<HERE
I'm here, $foo !
HERE;
$now = <<<'NOW'
I'm now, $foo !
NOW;
$here is "I'm here, bar !", while $now is "I'm now, $foo !".
If you don't need variable interpolation but need special characters like $ inside your string, Nowdocs are easier to use. That's all.
heredocs
1. heredocs text behaves just like a double-quoted string, without the double quotes.
2. Quotes in a heredoc do not need to be escaped, but the escape codes \n linefeed,
\r carriage return,
\t horizontal tab, \v vertical tab, \e escape, \f form feed, \ backslash,\$ dollar sign,\" double-quote can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.
Example :
$myname='Tikku';
$heredoc_exmaple= <<<HEREDOC
\\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
HEREDOC;
echo $heredoc_exmaple;
//OUTPUT \n ,\r , , ,\v ,\e , ,\ , \ ,$89 ,$ , Tikku , ' , $myname , \" ,\'
nowdocs
1. nowdocs text behaves just like a single-quoted string, without the single quotes.
2. Quotes in a nowdocs do not need to be escaped.Variables are not expanded in it.Advantage of nowdocs is embedding PHP code and escape codes without the need for escaping.
Example :
$myname='Tikku';
$nowdoc_exmaple= <<<'NOWDOC'
\\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
NOWDOC;
echo $nowdoc_exmaple;
//OUTPUT \\n ,\\r ,\t ,\r ,\\v ,\\e ,\f ,\\ , \ ,$89 ,$ , $myname , ' , \$myname , \" ,\'
Syntax: A nowdoc is identified with the same <<< sequence used for heredocs, but the identifier which follows is enclosed in single quotes, e.g. <<<'NOWDOC'. All the rules for heredoc identifiers also apply to nowdoc identifiers, especially those regarding the appearance of the closing identifier.
Nowdoc is great when you don't want to deal with quoting and unquoting complex strings, since it won't interpret any quotes and it won't accept variables. As such, it's well suited to manually displaying actual code snippets!
However, if you're using a mix of heredocs and nowdocs for blocks of string content, which is an easy temptation to fall into, you could easily run into XSS (cross site scripting) problems where-ever you use heredoc! As such, this approach is just not clean enough for me to recommend to a developer starting out in php! Instead, you should be trying to use templates (of whatever kind, or whatever template engine you like), for these large blocks of information. After all, you don't want html in your php, and you -certainly- don't want user-injected javascript, like:
$username = '<script>alert(document.cookie.toString())</script>';
$insecure_example = <<<HERE
I really like having my site exploited, $username
HERE;
So don't use HEREDOCS and NOWDOCS in the place of a proper templating approach or a templating engine.
Where-ever there is an interface between languages or technologies, you have to encode. php to sql? bind. php to html? encode. http to php?
Heredoc is 1000 times faster than "text", echo 'text' and nowdoc.
Sql1 with echo = 0.00011205673217773
sql2 with heredoc = 9.7751617431641E-6
Result = Sql1 Is 1046.3414634146% slow.
This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Should I use php quote escapes for single quotes or use double quotes in arrays?
Is it okay to use array[key] in PHP?
what is the difference between these three $_POST values? :
$_POST[data];
$_POST['data'];
$_POST["data"];
The first one, the index is the constant data. Since that is likely undefined, PHP will often just convert it to the string 'data' and log a warning message.
The second two are both identical. The index is the string 'data'.
[Short addendum, since this is a dupe.]
This is considered technically wrong, unless a constant foo had been defined.
print $_POST[data];
Only in double quoted context it is valid (actually required sans curly quotes) to leave out the array keys:
print " use $_POST[data] in double quote context";
Btw, also check the manual (it can also be freely downloaded!) on these topics:
http://php.net/manual/en/language.types.string.php
http://php.net/manual/en/language.types.array.php
You are taking it slightly wrong.
These quotes has nothing to with "POST value".
You can use almost any PHP expression as an array key - a string, a variable, a constnt, a function call.
I your case these keys being regular PHP strings.
And as a string it ought to be quoted - that's all
As for the quotes - there is no difference in this case.
Double quotes accept some special characters to interpret, you can see the list in the manual.
But as there are no special characters in your strings - there is no difference, which quotes to use.
I am trying to test some of these code here http://ha.ckers.org/xss.html on my code. To do so I need to set the codes on that page into a PHP variable, I am having trouble though.
For example this code below is incorrect just for setting it to a variable because of the "code" and 'code' the '" is what I am talking about. How can I set code from that page or below into a PHP variable for testing?
$string = '<IMG SRC=\"javascript:alert('XSS');\"><b>hello</b> hiii';
You need to escape the quotes you used to declare the string with. So in your case the single quotes:
'<IMG SRC="javascript:alert(\'XSS\');"><b>hello</b> hiii'
Otherwise the string would be aborted with that unescaped quote.
Another way, maybe a bit easier (you don't have to escape the quotes, nor double-quotes) would be to use Heredoc syntax :
$string = <<<STR_1
<IMG SRC="javascript:alert('XSS');"><b>hello</b> hiii
STR_1;
Note you'll still have to escape the $ sign, if you have some, to not have varible interpolation.
Quoting the manual :
Heredoc text behaves just like a
double-quoted string, without the
double quotes. This means that quotes
in a heredoc do not need to be
escaped, but the escape codes listed
above can still be used. Variables are
expanded, but the same care must be
taken when expressing complex
variables inside a heredoc as with
strings.
Note : read the manual about that : there are some things you must know before using heredoc syntax (like the fact that the closing identifier must be alone on its line)