Does heredoc output variables which contains quotes?

Question

I am using this:

$variable = "Name is \"Bob\"";
$message = <<<EOF
    <input type="text" value="$variable">
EOF;

And the result is :

enter image description here

Actually, this is synthetic example and I am working with db. But I tried: this synthetic example works (to simulate problem, actually it shows that what I am doing is not working).

Did you look at the page source? What you'll see is ``, so the PHP code is doing exactly the right thing, but the HTML is broken. — Michael Berkowski, Jun 17 '14 at 16:22
So the answer is yes, the heredoc will retain the quotes in the variable. — Michael Berkowski, Jun 17 '14 at 16:23
@Michael Berkowski: Backslashes have no special meaning in HTML - quotes are always encoded as `"`. — BoltClock, Jun 17 '14 at 16:24

score 2 · Answer 1 · answered Jun 17 '14 at 16:23

2

Yes, the quotes will appear in the HTML.

Since the quotes will end the attribute value, you'll make the HTML invalid.

You need to make the variable HTML-safe with htmlspecialchars().

answered Jun 17 '14 at 16:23

Quentin

914,110
126
1,211
1,335

score 1 · Accepted Answer · answered Jun 17 '14 at 16:23

1

You are generating invalid HTML:

<input type="text" value="Name is "Bob"">

Please use htmlspecialchars() to encode $variable before insertion.

answered Jun 17 '14 at 16:23

Álvaro González

142,137
41
261
360

score 1 · Answer 3 · answered Jun 17 '14 at 16:25

1

A heredoc is just a convenient shortcut for a multi-line echo. It doesn't care WHAT'S in the string, it'll just be output.

There is NO difference between the following two constructs:

$foo = "A string with an \" embedded quote";

echo <<<EOL
Hello, $foo, how are you
EOL;

echo "Hello, $foo, how are you";

The only real difference is that you don't have escape quotes in the rest of the string:

echo <<<EOL
This is a "quoted phrase" within a sentence
EOL;

echo "This is a \"quoted phrase\" within a sentence";

answered Jun 17 '14 at 16:25

Marc B

356,200
43
426
500

Mhm. So it is better to encode all data with quotes before adding to the db, right? For example with `"`, right? I mean, I have to use `htmlspecialchars()` before adding to the database, right? – Sharikov Vladislav Jun 17 '14 at 17:01
hell NO! (pardon my french). htmlspecialchars is **USELESS** for database purposes. You need to read this: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Marc B Jun 17 '14 at 17:09
Hm. I already using pdo. I don't have problems with adding data to the base. As I realized now, data is storing in database with quotes. Like `Some "name" data`, not `Some "name" data`. I have to store data in 2nd format, right? PDO, probably, as I use it doesn't do it, does it? [How I use pdo?](http://i.gyazo.com/5739150374fcce505c8bb5eea6879d9b.png). [Results of that in database](http://i.gyazo.com/eba434cebf901c4331a00e2f3e546fbd.png). – Sharikov Vladislav Jun 17 '14 at 17:16
no. the db doesn't care how you encode your quotes. it DOES care how you get those quotes into the db in the first place. – Marc B Jun 17 '14 at 17:19

Does heredoc output variables which contains quotes?

3 Answers3