0

When I run the following script, nothing gets printed. Why is it so ? 

<?php
  $var = "<?php echo 'Hey !'; ?>";
  echo $var;
?>
Suhail Gupta
  • 22,386
  • 64
  • 200
  • 328

5 Answers5

1

It echoes "nothing" because your browser doesn't understand <?php tags, so it won't show the tag contents; it should show something when you select view the page source though.

The reason for this behaviour is that the default content type of your script is set as text/html (you can confirm this by looking at the response headers) and in the context of HTML, you should use htmlspecialchars()

echo htmlspecialchars($var);

In fact, as a general rule, you should always escape variables appropriately when you output them.

Alternatively you could let the browser know that your output should not be interpreted as HTML; you can do this by setting an appropriate response header:

header('Content-Type: text/plain');

With the above content type your output is shown verbatim by the browser.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • Is there a way, I can execute the script inside the variable `$var` ? – Suhail Gupta Oct 22 '13 at 05:09
  • 1
    @SuhailGupta If a variable contains a script, you could use `eval()` to run it, but I would recommend against doing that. – Ja͢ck Oct 22 '13 at 05:10
  • `eval` doesn't run this `$var = "$handle = fopen('data.txt'); $str = 'Hey !'; fwrite($handle,$str);";` Why is it so ? – Suhail Gupta Oct 22 '13 at 05:23
  • @SuhailGupta Just ... stop ... why are you even trying to do that? – Ja͢ck Oct 22 '13 at 05:29
  • For no reason. Just wanted to know, why – Suhail Gupta Oct 22 '13 at 05:30
  • @SuhailGupta First rule of `eval()` is to not use it, so please don't. Also, read up on the difference between double quotes and single quotes [here](http://php.net/manual/en/language.types.string.php). – Ja͢ck Oct 22 '13 at 05:32
  • I am just experimenting and nothing changed when I changed the code to `$var = "$handle = fopen(\'data.txt\'); $str = \'Hey !\'; fwrite($handle,$str);";` – Suhail Gupta Oct 22 '13 at 05:41
  • 1
    @SuhailGupta I have no idea what you would expect from running that code. – Ja͢ck Oct 22 '13 at 05:45
  • A file with the name `data.txt` be created with the text `Hey!`. – Suhail Gupta Oct 22 '13 at 05:47
  • @SuhailGupta Then why don't you just write `file_put_contents('data.txt', 'Hey !');`? – Ja͢ck Oct 22 '13 at 05:48
  • As I told you...I want to know why `eval` won't run that – Suhail Gupta Oct 22 '13 at 05:50
  • @SuhailGupta That last code didn't even have an `eval()` in it. Just `echo` the string first and see what is about to get executed and then you will know what I meant with the difference of quoting styles. – Ja͢ck Oct 22 '13 at 05:53
  • @SuhailGupta Feel free to join the PHP chat room for stuff like this btw. – Ja͢ck Oct 22 '13 at 05:59
  • It prints `= fopen('data.txt','w'); = 'Hey !'; fwrite(,);` when `$var = "$handle = fopen('data.txt','w'); $str = 'Hey !'; fwrite($handle,$str);";` – Suhail Gupta Oct 22 '13 at 06:01
0

change this

$var = "<?php echo 'Hey !'; ?>";

into this

$var = "&lt;?php echo 'Hey !'; ?&gt;";
user2727841
  • 715
  • 6
  • 21
0

becousing your syntex is wrong for php engine... make change as:

<?php
  $var = "<?php echo 'Hey !'; ?>";
  echo $var;
?>

to

<?php
  $var = 'Hey !';
  echo $var;
?>
Dinesh
  • 4,066
  • 5
  • 21
  • 35
0

Set the content type as text and you can see your output in your browser.

<?php
  header('Content-type: text/plain');
  $var = "<?php echo 'Hey !'; ?>";
  echo $var;
?>

It is because your browser is expecting html and it doesnt understand the php tags you have in the output.

Other wise using htmlspecialchars function would be a better option.

Mithun Satheesh
  • 27,240
  • 14
  • 77
  • 101
0

try something like this

$var = '<?php echo \'Hey !\';?>';
echo htmlspecialchars($var);
rajesh kakawat
  • 10,826
  • 1
  • 21
  • 40