#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    59
    Rep Power
    2

    Issue in single quotes and double quotes


    Hi Friends,

    Below line of "{$option}" contains results.

    /*first code*/
    echo "<option value='{$option}' selected='selected'>{$option}</option>";

    I will get the output.

    But i change single quotes and double quotes. Code are listed below.


    /*second code*/
    echo '<option value="{$option}" selected="selected">{$option}</option>';

    but output is {$option}. Could you please help me to correct second line of code.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jul 2003
    Posts
    3,232
    Rep Power
    593
    When you use single quotes everything inside is taken as literal. No substitution occurs.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    179
    Rep Power
    0
    IMHO - make it a habit to use double quotes on strings, especially if you will be including a php var in it.

    PS - you don't need to use curly braces on php vars in strings unless they are vars that use quotes themselves (such as SESSION vars and arrays)

    Your first ex. should look like this:
    PHP Code:
     echo "<option value='$option'  selected='selected'>$option</option>"
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Hi,

    bad advice, in my opinion.

    The legitimate use cases for directly inserting variables are, very rare. And that means double quotes should be just as rare.

    You realize that you can't just take arbitrary input and drop it into your HTML document, right? You need to escape it first. Otherwise, you'll quickly end up with cross-site scripting vulnerabilities or at least severe bugs.

    So where's your escaping? Either you don't have it, which would be a disaster. Or you have large blocks of code where you escape all the variables for later, which would be poor style.

    Either way, this technique is bad. I suggest you give it up and use a cleaner, more secure and more robust approach:

    PHP Code:
    <option value="<?= html_escape($option?>"><?= html_escape($option?></option>
    or

    PHP Code:
    echo '<option value="' html_escape($option) . '">' html_escape($option) . '</option>'
    Note the escaping.

    If you don't like to escape all variables by hand, you can always use a template engine like Twig. This would also help untangle the PHPHTML spaghetti code.
    Last edited by Jacques1; January 21st, 2014 at 09:22 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. Confused badger
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Mar 2009
    Location
    West Yorkshire
    Posts
    1,047
    Rep Power
    487
    Hmm, this is interesting and I have always used double-quotes for my PHP and broken out the PHP elements with periods, for example:

    PHP Code:
    echo "<select name='" $slName "' id='" $slID "' onchange='" $slOnChange "' style='" $slStyle "'>"
    Is this really bad or what??
    Note, this is just a line from within a function where the vars used don't need escaping beforehand.
    "For if leisure and security were enjoyed by all alike, the great mass of human beings who are normally stupefied by poverty would become literate and would learn to think for themselves; and when once they had done this, they would sooner or later realise that the privileged minority had no function and they would sweep it away"
    - George Orwell, 1984
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    179
    Rep Power
    0
    I don't see how developing a habit to make it easier to write and read your strings that involve php vars is bad form because it starts with double quotes.

    Obviously one has to ensure the use of good practice in outputting variables/data. Tying the use of quotes to this practice is a bit of overkill in "good practice" discussion IMHO.

    Of course if one is going to embed the function that sanitizes the data INSIDE of the output statement, then quotes don't really matter. But if a developer sanitizes his/her data prior to placing that 'clean' variable into an output line such as an echo with text and vars in it, the use of quotes as I expressed is a much better way of simply writing code as well as enhancing the readability.

    As for Badger's input - yes, breaking up an output into text portions and concatenating the var portions is fine - but not as easy to read if one has in fact done his/her homework before that point.
  12. #7
  13. Wiser? Not exactly.
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    5,905
    Rep Power
    3969
    Originally Posted by jimmyg999
    I don't see how developing a habit to make it easier to write and read your strings that involve php vars is bad form because it starts with double quotes.
    It's not so much the double-quotes that are bad-form, it's the variable interpolation that typically goes along with it which is bad-form.

    Using concatenation rather than embedding variables directly into a string provides a more consistent method of inserting data into a string. It works not only with variables but also function calls or expressions. Depending on your editor, embedded variables may not be properly highlighted within strings either unless concatenation is used. Overall, concatenation results in easier to understand code.

    Whether you want to use single-quotes or double-quotes is more of a preference. I generally prefer single quotes around my strings so that I don't have to bother with escaping double-quotes used within the string such as around HTML attribute values (single-quoted attribute values annoy me for some reason).

    Comments on this post

    • Jacques1 agrees
    Recycle your old CD's, don't just trash them



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,921
    Rep Power
    1045
    Escaping variables at some earlier stage is nonsensical and a common source for errors.

    The more you detach the escaping from the actual use, the greater the risk of getting it wrong. How do you know a particular variable at a particular location in the code can safely be used in an HTML context? You can't tell unless you go through the code and find out the current value of this variable. Great.

    And what if you need the same value for different contexts? Say, you need the raw value, an HTML-safe version, an SQL-safe version and a JavaScript-safe version. Does that mean you carry around four(!) different variables for the same value? $rawUserID, $userIDEscapedForHTML, $userIDEscapedForSQL and $userIDThisTimeEscapedForJavaScript?

    Last but not least, this approach comes with a lot of unnecessary boilerplate code. Instead of simply escaping the values on-the-fly, you now need a large block of variable initializations whenever you wanna do access an external resource.

    So you lose security, simplicity and compactness, and all you get is a vague promise that the PHPHTML mixture might be a bit easier to read. I don't find that convincing at all.

    My suggestion is:

    • Do the escaping when you need it.
    • Go with single quotes unless you have a reason for using double quotes.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo