When I set variables that include angle brackets (< >) or slashes I keep getting errors like the following (code simplified to focus on error):
Parse error: syntax error, unexpected '>' in D:\hosting\8499439\html\test.php on line 2
<?php
$xml = “<Request>\n”;
?>
I also run into a lot off issues with "unexpected T_String" errors that appear to be related.
I'm running PHP5 on a GoDaddy Windows Server.
What am I doing wrong? (I get the impression I need to to do something so that special characters can be handled in my PHP).
Thanks in advance.
Your quotes are curly quotes, not straight quotes, so PHP runs into an error processing them. A string can only be recognized with straight quotes.
Use the following code:
<?php
$xml = "<Request>\n";
?>
Assuming that you have the same error elsewhere, you can probably do a simple search-and-replace to fix the error: search for one of the curly quotes, replace with a straight quote. Repeat with the other curly quote. Make sure to check for straight quotes that may need to be escaped (for instance, something like "Mary said, "I like this."" would need to be escaped as "Mary said, \"I like this.\"")
mc10 is right.
Additionally I can say, there are only ""(double) and ''(single) quotes in PHP. I suggest you to read about differences between them.
I prefer using single quotes only to keep code clear.
Related
I tried to do redirect with this syntax:
header("location: readMore.php?id=$post['post_id']");
But it didn't work. It worked only after someone suggested to put curly brackets around $post['post_id']!
The correct syntax is:
header("location: readMore.php?id={$post['post_id']}");
What does the curly brackets do in this case?
Quoting the manual:
When a string is specified in double quotes or with heredoc, variables are parsed within it.
There are two types of syntax: a simple one and a complex one. The simple syntax is the most common and convenient. It provides a way to embed a variable, an array value, or an object property in a string with a minimum of effort.
The complex syntax can be recognised by the curly braces surrounding the expression.
Your first code uses simple syntax, and your second code uses a complex one.
The manual does not explicitly state this, but whitespace in simple syntax seems to be an error, rendering your first code invalid. Complex syntax appears to support the same syntax as regular PHP does as far as I can see, but again this does not seem to be actually guaranteed anywhere.
String interpolation is quite flunky in general:
$a = [['derp']];
$b = $a[0];
// Works. It prints derp
echo "$b[0]";
// Doesn't work. It throws an error
echo "$b[ 0 ]";
// Works. It prints derp
echo "{$b[ 0 ]}";
// Doesn't work. It prints Array[0]
echo "$a[0][0]";
// Works. It prints derp
echo "{$a[0][0]}";
// Doesn't work. It prints { Array[0] }
echo "{ $a[0][0] }";
You get similar issues with $object -> foo and $object->foo->bar.
To me, that is pure madness. For that reason I've come to avoid double quoted strings whenever possible (the only thing I used them for are for escape sequences like "\n"). I instead use single quotes and string concatenation, like so:
header( 'location: readMore.php?id=' . $post[ 'post_id' ] );
This lets you use actual PHP syntax for variables without the horrible death trap that is string interpolation.
I came to this question to know more about constant interpolation syntax when those PHP "<<<" things are used to create multiline strings called Heredocs (which allow variable interpolation, unlike Nowdocs).
However, it seems there is no specific syntax for them, and therefore a simple workaround is to create a closure to do so. In here it is just an anonymous function assigned to a variable that will be invoked with parameters:
$int = 'intruder'; // Variable
define('con', '"smart"'); // Constant
// For complex interpolation:
// 1. Define a closure (anonymous function)
// 2. Assign it to a variable with a short name (e.g.: _ )
// 3. Invoke the function by calling the variable with parameters enclosed in ()
$_ = function ($val){return $val;};
$doc = <<<TXT
Hi there,
One day I caught this $int nearby.
I was then told that actually other {$_(con)} $int was there before.
So who came first, the chicken or the egg?
TXT; // Heredoc
echo $doc;
Output:
Hi there,
One day I caught this intruder nearby.
I was then told that actually other "smart" intruder was there before.
So who came first, the chicken or the egg?
You can test the above online on 3v4l. This was based on this answer with a few more examples with operations inside the interpolation brackets.
When you use double or single quotes, PHP will treat whatever is in it as a string unless you tell it that it’s a variable. PHP understands anything after { followed by $ as a variable and treats it as such. Here is an example:
$Text = "XYz";
echo "name-{$Text}";
The other alternative method is to use concatenation. Here is an example:
header("location: readMore.php?id=" . $post['post_id']);
Brackets allow PHP to read what's inside as a variable. You can do that this way too:
header("location: readMore.php?id=" . $post['post_id']);
PHP's simple string interpolation doesn't recognize quoted array keys, which your example demonstrates perfectly. In fact, the correct way to write this is exactly opposite depending on which syntax used: simple vs complex.
Simple syntax - Wrong
Quoted keys cannot be parsed.
header("location: readMore.php?id=$post['post_id']");
Simple syntax - Right
The unquoted string is the associative array key.
header("location: readMore.php?id=$post[post_id]");
Complex syntax - Wrong
It will work, but only if post_id is a defined constant. If not, you'll get a PHP warning.
header("location: readMore.php?id={$post[post_id]}");
Complex syntax - Right
Written just like outside the string.
header("location: readMore.php?id={$post['post_id']}");
To quote the manual on the complex syntax:
// Works, quoted keys only work using the curly brace syntax
echo "This works: {$arr['key']}";
I'd recommend using complex (curly brace) syntax if using quoted keys. And you really should be using them, because outside the string interpolation unquoted keys are actually constants. It's too bad the simple syntax won't allow them, because it makes code reviews and updating old PHP code more difficult.
Are there any issues I should be aware of when doing the following:
$table_html = ' <td id="unescaped-double-quotes-yay">Some stuff</td>' . "\n";
I do not like escaping double quotes withing HTML and I can't stand using single quotes in HTML, my solution is what I have above. Am I going to run into any issues with this practice?
You MUST escape strings that comes from DB or from the user because they could easily break you concatenation if the unexpected kind of quote is present in that string (not to mention that you MUST cleanse anything that comes from the user for minimal security).
Other than that you can concatenate strings any way you like. Still, life will always be easier if you manage to use them cosistently the same way.
I have done this many times on client sites (have since found better alternatives), you are 100% fine.
Are you aware of the following representation:
$table_html = <<<HTML
<td id="unescaped-double-quotes-yay">
Some stuff, and i can use normal newlines here
</td>
HTML;
It is called "heredoc", and you must keep in mind that the final string must be equivalent to the opening one, and must be the only thing on the line (no spaces or even comments are allowed).
You must also terminate the last line with the newline, even if it is the last line in the file.
To read more about it click here
I'm following a PHP tutorial, and came accross this line of code
redirect_to("manage_content.php?subject={$current_subject["id"]}");
I was surprised to see this works without the need to escape the quotes around "id" inside the brackets.
But I don't understand why. Does anyone know?
When you wrap a variable in curly braces {}, the PHP parser knows anything inside that is a variable and won't parse it like the rest of the string!
This only works with strings in double-quotes - single-quoted strings are taken at face value, so this has to be escaped:
$str = 'My cool string! {$array[\'key\']}';
While your example doesn't.
Because of this, it's best practice to put static strings in single quotes - it's a micro-optimization, but it's technically a bit faster since the PHP parser doesn't have to work its way through the string!
I'm working to integrate a plug-in into a PHP web application, and one line of the code puzzles me:
$sql = "update inventory set qtyleft='$qtyleft',price='$price',sales=sales+'$sales',qtysold=qtysold+'$qtysold' where id='$id'";
mysql_query($sql);
where $qtyleft, $price, $sales, $qtysold and $id are all variables.
I'm not very familiar with PHP, but I always thought string concatenation in PHP is done by using the . operator and it seems to me that the code above is just a long string without actually putting those variables to the SQL query. Is that the case?
In PHP, double quote (") delimited strings will evaluate variables in them.
$foo = 42;
echo "The answer for everything is $foo"; // The answer for everything is 42
This specific example is very bad because you shouldn't include variables directly in an SQL query, and shouldn't use mysql_query in new code.
See more:
Why shouldn't I use mysql_* functions in PHP?
How can I prevent SQL injection in PHP?
See Variable Parsing section of the Strings manual page.
When a string is specified in double quotes or with heredoc, variables are parsed within it.
If you use single quotes for a string, the variables will not be interpolated. If you use double quotes, they will be.
The code you mentioned will work in PHP without any issues. Please refer PHP Manual for more details.
Other issue that you might need to look forward is the function mysql_query is depreciate. Please refer here. Which gives me a feeling that the plugin you are going to is use not maintained correctly. And one more problem is, its not a good practice to pass the variable directly in the SQL query do to possible security issues
Some call it "variable interpolation". It is explained on the Variable parsing section of the manual page about strings. It helps to read the entire page and also the user comments.
The basic idea is that for strings enclosed in quotes (") and on heredoc blocks, PHP searches for variables inside the string when it needs to use it and replaces them with their values at the moment of the execution. This means the same string can render to different values in different moments of the script's execution.
This is just syntactic sugar, it doesn't change the way the code behaves and any string that contains variables inside can be rewritten using the string concatenation operator (.). Usually this syntax produces shorter source code. Sometimes the code is easier to read this way, other times it is harder because the complex expressions (array access, f.e.) need to be enclosed in curly braces ({ and }) inside the string.
This is a follow up on
magento escape string for javascript
where I accepted #AlanStorm suggestion to use json_encode to escape string literals.
But I now have a new problem with this solution.
when trying to escape a URL that has /'s in it to be rendered as a string literal for JavaScript json_encode seems to add redundant \'s in front of the /'s.
Any new suggestions here?
solutions should take a string variable and return a string that would properly be evaluated to a string literal in JavaScript. (I don't care if its surrounded with single or double quotes - although I prefer single quotes. And it must also support newlines in the string.)
Thanks
some more info: how comes '/');echo
json_encode($v); ?> results in
{"a":"\/"} ?
Details can be found here http://bugs.php.net/bug.php?id=49366
work around for this issue:
str_replace('\\/', '/', $jsonEncoded);
for your issue you can do something like
$jsonDecoded = str_replace(array("\\/", "/'s"), array("/", "/\'s"), $jsonEncoded);
Hope this helps
When I check the JSON format I see that solidi are allowed to be escaped so json_encode is in fact working correctly.
(source: json.org)
The bug link posted by satrun77 even says "It's not incorrect to escape slashes."
If you're adamant to do without and (in this case) are certain to be working with a string you can use a hack like this:
echo '["', addslashes($string), '"]';
Obviously that doesn't help for more complicated structures but as luck has it, you are using Magento which is highly modifiable. Copy lib/Zend/Json/Encoder.php to app/core/local/Zend/Json/Encoder.php (which forms an override) and fix it's _encodeString method.