I ran into a block of code that executes print with double quotes around the argument. The argument contained a variable that was seemingly escaped by a dollar sign. Is that how a variable is called inside double quotes in php?
print("$$owed");
Here's the full block from the source:
<html>
<head>
<title>Loans</title>
</head>
<body>
<?php
$interest_rate = .14;
function YouOweMe($cost, $interest_rate) {
$weekly_payment = ($cost*$interest_rate);
print "You better pay me $$weekly_payment every week, or else!";
}
<font color="#000000">YouOweMe($cost, $interest_rate);
?>
</body>
</html>
I had to strip the numbers. So annoying.
Anyway, ... What doesn't make sense to me is that $$owed is supposed to, what? Create a new variable from a separate variable that contains a string 'owed'? That doesn't seem practical in any situation. Isn't $$owed just to get a dollar sign before the amount?
Here is an example to understand variable variables :
<?php
$var = "test";
$test = "hey !";
echo "$$var"; //$test
echo "${$var}"; //hey !
echo '$$var'; //$$var
?>
Edited according to comments.
In PHP, a variable is escaped with $ when inside a string defined with double quotes. This does NOT work with single quotes.
$string = "world";
echo "Hello ${string}";
#### outputs "Hello World"
That is how you put a variable into a string (you need the double quotes).
What you have is variable-variable. You can call a variable $foo by using a string with foo in it.
$string = 'foo';
$foo = 'hello world';
echo "I say, ${$string}";
Would output "hello world.
There are a couple of ways to use variables inside double quotes, some common ways are
print("$owed") will print the value of $owed
print("$$owed") is called a "variable variable" (as linked previously)
$owed = "test";
$test = 16;
print("$$owed");
will print out "$test".
Another use of this comes in the form of print("${$owed}"), which takes the value of $test and uses it as the variable name.
I strongly advise you to use single quotes and concatenate the variables needed, as it saves the time for evaluating variables in out, e.g.:
$owed = 42;
print('The value is: ' . $owed);
lg,
flo
Related
I have a string (a c code) in a vairable. I want to print it php. But i don't why everything after double quotes in not printing.. pls help. Below is the code.
$answer_something='printf("\\n")';
echo $answer_something;
//OUTPUT: printf(
//WHAT I WANT TO PRINT IS printf("\\n");
The PHP syntax for strings is explained in the Strings chapter of the manual. To produce static strings with code samples into variables I'd go for nowdoc:
<?php
$str = <<<'EOD'
printf("\\n");
You can write almost anything you want. No 'escaping' "needed" \r \n \
EOD;
var_dump($str);
Of course, this does not apply if you read information from the $_POST superglobal array: the array will automatically contain whatever the user submitted.
How about using:
$x = 'printf("\\\\n");';
echo $x;
I suppose this is for some kind of trivia / questionnaire. You have to escape each backslash with 2 backslashes.
You can check the output here: http://ideone.com/fFvb28
try this:
$answer_something = $_POST['option'];
if($answer_something == '\\n'){
printf("\\n");
}
The user input is like this
$user_input = htmlspecialchars($_GET['$user_input']);
According to PHP.net:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
"'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
But what about $? For example the code is like this:
echo "Some cool text $user_input";
Now lets say user input is $secretCode so:$_GET['$user_input'] = "$secretCode";
Will the code then not echo the $secretCode?
Also what about this. Lets assume the code is like this:
$html = <<<EOF <head>.... EOF;
What if the input is $_GET['$user_input'] = "EOF;"; Won't this quit the string?
You're assuming a level interpretation that doesn't exist. If you write string literals like this:
$foo = 'bar';
$baz = "Hello $foo";
Then yes, $foo will be interpolated into the string. That is because it is explicitly written as a string literal in PHP source code.
On the other hand:
$foo = 'bar';
$baz = $_GET['var'];
Under no circumstances whatsoever will anything be interpolated here. Nor here:
$foo = <<<EOL
$_GET[var]
EOL;
$_GET['var'] can contain whatever it wants to, it is of no concern. PHP does not recursively evaluate all values over and over to see if there may be something that can be interpolated. There is no security issue here.
To provoke any of this recursive behaviour, you'd have to explicitly construct PHP source code as a string and then explicitly evaluate it:
$code = <<<EOL
$foo = 'bar';
echo "Hello $_GET[var]";
EOL;
// $code is now, say:
// $foo = 'bar';
// echo "Hello $foo";
eval($code);
Unless you do something like this (and please, never use eval), nothing will happen.
For embedding arbitrary text inside of HTML, htmlspecialchars is fine to escape characters which have a special meaning in HTML; yes, it's secure.
php will not parse variables inside variables itself, because the variable is not clearly written in your php code, php dont parse variables at this level. so with this in mind the following examples will fail and will output some text and $bar and not some text and test
$_GET['foo'] = '$bar';
$baz = $_GET['foo'];
$bar = 'test';
echo "some text and $baz";
// some text and $bar
Constant strings in your PHP code will be parsed like that, but strings that come from another source are not.
So in the line below, the variable $world will be expanded:
$var = "Hello $world";
In the line below, the exact value is used as it is read from (probably) a database. Even if the field 'example' world contain the text 'Hello $world', the variable $world would not be expanded.
$var = $row['example'];
This is normal PHP behaviour and is not related per se to htmlspecialchars.
Double quotes--->"$a" interpretes variables.
single quotes--->'$a' does not.Alright till now
MyQuestion:
what if I use "'$a'"?
Note:want to know behind the scene details.
Detailed Explanation:
I faced a major problem because of this when I used it in a foreach loop:
The following example gave me incorrect option value. For example, value it renders is UX if original is UX developer
echo "<option value=".$item['m_designation'].">".$item['m_designation']."</option>";
this example gave me correct option value. For example,value it renders is UX developer if original is UX developer
echo '<option value="'.$item['m_designation'].'"> '.$item['m_designation'].' </option>';
Hope I am clear.
Update:
I got the desired result but I don't know the logic behind it. I have tried it and done it successfully, but I wanted to know what's happening behind the scene. I think people have misread my question.
The use of ' and " for strings only changes when they are the outer container of the entire string - a different quote inside that is just treated as a plain character with no special meaning, therefore "'$var'" uses the rules of " (parsing variables), whereas '"$var"' would literally output "$var" as it uses the rules of ' (no parsing of variables).
Summary:
When you do "''" or "\"\"" the quotes inside the string are not parsed by PHP and treated as literal characters, the contents of such quotes will have the same behaviour in or out of those quotes.
You'll have a string that uses double quotes as delimiters and has single quotes as data. The delimiters are the ones that matter for determining how a string will be handled.
$a = 'test';
echo '$a';// prints $a
echo "$a";// prints test
echo "'$a'"//prints 'test'
double quotes checks the php variable and echo the string with php variable value
example echo "wow $a 123"; //prints wow test 123
single quotes print whatever in the single quotes
example echo 'foo $a 123';//prints foo $a 123
Your 'faulty' (first) string was missing the single quotes ':
echo "<option value='".$item['m_designation']."'>".$item['m_designation']."</option>";
^ ^
Your problem is that you confuse the quotes in your HTML with the quotes in the PHP.
$a = 1;
$b = '"$a"';
echo $b;
# => "$a"
$a = 1;
$b = "\"$a\"";
echo $b;
# => "1"
I'd advise you to simply never use string literals, as (especially in PHP) there are a lot of unexpected and weird edge-cases to them. Best is to force an interpreter (which also only works with double quotes:
$a = 1;
$b = "\"{$a}\"";
$c = "{$a+2}";
echo $b;
# => "1"
echo $c;
# => 3
It seems your question is more directed toward the output PHP produces for HTML formatting. Simply, single quotes in PHP represent the literal value:
$a = 1;
$b = '$a';
echo $b;
//$a
$a = 1;
$b = "$a";
echo $b;
//1
$a = 1;
$b = "'$a'";
echo $b;
//'1'
If you want to output HTML, you can use heredoc syntax. This is useful when outputting more than one line containing variables:
$name = "Bob";
$age = 59;
echo <<<EOT
My name is "$name".
I am $age years old.
EOT;
//My name is "Bob"
//I am 59 years old.
I'm a bit confuse with
$hello = "hello";
echo "Say $hello";
echo "Say {$hello}";
echo "Say ${hello}";
and the output is same Say hello. When should I use {$hello} and ${hello}? and why it cannot be used in single quote?
$animal = 'cat';
echo "I have 14 $animals";
This may lead to problems, thus you will "escape" it
echo "I have 14 ${animal}s";
or
echo "I have 14 {$animal}s";
In single caused variables/expression were never substituted.
Single quoted string will never expand variables in PHP. See:
http://php.net/manual/en/language.types.string.php
for more detail of the string formats in PHP. There are 4 in total (including nowdoc introduced in PHP 5.3). Only double quoted and heredoc string formats cause variables to be expanded.
According to http://www.php.net/manual/en/language.types.string.php#language.types.string.parsing ,
this is a simple syntax:
echo "Say ${hello}";
and this is a curly syntax:
echo "Say {$hello}";
Why does them both output the same? Becaus in PHP you can use variable variables in every place you want. For example:
$var = 'somevar';
$bar = 'var';
echo $$bar; // "somevar", simple variable variable
echo ${$bar}; // "somevar", complex syntax
echo ${bar}; // "var", because {bar} treated as a string constant:
// Notice: Use of undefined constant bar - assumed 'bar'
So, using variable variables syntax ${hello} simply translated to $hello.
Very basic, but would like to know the difference/security ramifications etc of using " vs. '.
Can someone provide an example that explains when to use each one?
There are a lot of subtle differences, you'll want to read the php documentation to get a lot of the details, but the important detail are:
Double quotes are parsed whereas single quotes are literals.
You can use variables inline with double quotes, but not with single quotes.
There are some catches though:
<?php
$beer = 'Heineken';
echo "$beer's taste is great"; // works; "'" is an invalid character for variable names
echo "He drank some $beers"; // won't work; 's' is a valid character for variable names but the variable is "$beer"
echo "He drank some ${beer}s"; // works
echo "He drank some {$beer}s"; // works
?>
Single quotes are slightly faster.
When a string is enclosed in double quotes, then escape sequences such as \n and variable identifiers such as $var are interpreted.
See the PHP strings manual for specific details and examples.
The biggest one is this. Inside double-quotes, you can include variables, but inside single quotes, the variable name will be literal:
$var1 = "hello";
// this will echo "hello world"
echo "$var1 world";
// this will echo $var1 world
echo '$var1 world';
Using double-quotes becomes extremely useful in a number of situations, expecially when you place {} around the variable names. Here are some examples (certainly others can give you more examples):
// array elements
echo "Element 5 is {$myArray[5]}";
echo "Element 2 subelement 3 is {$myArray[2][3]}";
//
// a dynamic key
$value = "thing";
$someValue = $myArray["some{$value}"]; // returnd $myArray[something]