13

How do I put PHP Code into a string?

$phpCode = '<? if($condtion){ ?>';

For some reason, when I do this and echo out the code, I don't get the opening PHP tag, <?.

Am I missing something? Is there a better or more proper way to do this? I am currently looking at the PHP docs on strings but I would like to get your feedback.

Edit: The reason why I am using apsotrophes (') and not quotes (") is because I don't want the code to fill in the value for condition. I want it to echo as-is.

Chris Bier
  • 14,183
  • 17
  • 67
  • 103
  • 1
    Are you echoing the code into HTML output? If so, it's being interpreted as a tag and needs escaping to appear on the screen. – grossvogel Apr 26 '13 at 15:28
  • Do you just give an output or also run it ? – S.Visser Apr 26 '13 at 15:31
  • It is being put into a .php file that will be run at a later time. – Chris Bier Apr 26 '13 at 15:32
  • 1
    There's nothing wrong with the way you're building the string. The answers referring to `htmlspecialchars` are appropriate for displaying the string in a web page, but not if you plan to actually run the generated code. In that case, you should have no trouble writing your string as-is with something like `file_put_contents`. I would, however, seriously question whether writing php code with php scripts is a good overall strategy. – grossvogel Apr 26 '13 at 15:41
  • @grossvogel If that will not allow the generated code to run, then `htmlspecialchars()` is not the solution I am looking for. Unfortunately I am stuck with the output being written to the file as plain-text. Perhaps my particular problem cannot be solved :( – Chris Bier Apr 26 '13 at 15:43
  • You don't have a problem that can't be solved. if you follow your code snippet with `file_put_contents('/file/path', $phpCode);` you will get the code, opening tag and all, written to `/file/path`. I think bigger problems lie in **why** you're trying to build php scripts by running other php scripts. – grossvogel Apr 26 '13 at 15:48
  • Ok, just to be clear. These are merely code snippets that need to be put into a dynamically generated website conditionally. Otherwise I would just put them right into the destination document rather than putting the code into strings and placing them into the document that way. – Chris Bier Apr 26 '13 at 15:57
  • But the dynamically generated document is... dynamically generated. So why can't this 'snippet generating' logic just be moved directly into the 'document generating' code? – grossvogel Apr 26 '13 at 16:05
  • We are using a separate parsing engine that will replace template variables (e.g. `{code_snippet}`) that puts the code in as plain-text. That is why I am afraid that merely modifying the variable will not do in this situation. I am going to have to dig deeper and change the way that the parsing engine will put in the code. – Chris Bier Apr 26 '13 at 16:12
  • Ah... I was about to add that a template engine is the one good reason I can think of for doing this. Sorry to give you a hard time, and good luck. – grossvogel Apr 26 '13 at 16:19

7 Answers7

12

Use htmlspecialchars():

$phpCode = '<? if($condtion){ ?>';
echo htmlspecialchars($phpCode);
JustAPoring
  • 258
  • 1
  • 12
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • 3
    Shouldn't `htmlspecialchars()` be enough escaping? [Escaping all entities is slight overkill.](http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars) – grossvogel Apr 26 '13 at 15:31
  • Thanks! This seems to have worked :) Yet since the output is going to be plain-text, I set my variables as such: `$phpCode = htmlspecialchars(' if($condtion){ ?>');` – Chris Bier Apr 26 '13 at 15:39
  • As @grossvogel mentioned in a comment on the question, this will not allow the code to be run. I need to place the code into a php file that will be run later. Therefore, the contents of `$phpCode` needs to be executable. It seems that my predicament is that I am restricted to plain-text output into the destination document. – Chris Bier Apr 26 '13 at 15:46
6

You need to echo htmlspecialchars($phpCode);

Adder
  • 5,708
  • 1
  • 28
  • 56
1

try these $str= htmlentities('<?php //***code***// ?>');

Mercurial
  • 3,615
  • 5
  • 27
  • 52
0

You can also use HTML entities.

When you replace just the opening square bracket in PHP, the rest will be considered a string when parsed with echo:

<?php
    //&lt; is the HTML entity for '<' (without quotes).
    $str = '&lt;?php yourstring ?>';
    echo $str;
?>

Source HTML Entities

SidOfc
  • 4,552
  • 3
  • 27
  • 50
0

You can output PHP code as text in following way

$phpCode = '<? if($condtion){ ?>';
echo "<pre>";
echo htmlspecialchars($phpCode);
echo "</pre>";
Subodh Ghulaxe
  • 18,333
  • 14
  • 83
  • 102
0

There's already a few answers to this, but just to add my $0.02...

This code:

<?php
    $test = '<?php echo "hello world!"; ?>';
    echo $test;
?>

Produces a blank white screen in the browser, but if you view the source you'll see this output: 

<?php echo "hello world!"; ?>

This has to do with the way the browser is rendering your PHP code. Browsers aren't meant to render PHP code, but rather HTML markup. If you're echoing out the code because you're testing what is going to be written to your file, then just view the source to validate what is being output is what you want to be written to the file. You won't see it in the browser itself because it doesn't know how to render the ?php tag, let alone what to do with the echo attribute.

Optionally, like everyone has stated already you can pass the string through htmlspecialchars if all you want to do is render it in the browser without having to view source. You wouldn't want to do that if you're writing it to the file, but may help you debug your output.

Another option would be to run your script from the command line. It won't attempt to render your output and instead just spit it out verbatim.

Jeff Lambert
  • 24,395
  • 4
  • 69
  • 96
-1

Eval php documentation

Use Eval() if you want to run the code in the string.

Example

$str = "Hello ";
eval('$str .= "World"');

echo $str;
/* Output: Hello World */
S.Visser
  • 4,645
  • 1
  • 22
  • 43