Escape string with PHP and HTML

Question

I have these two lines that I would like to escape the $type variable:

$functionName = str_replace('-', '_', $type);
$output .= '<div class="tab-pane" id="'. $type .'">';

I tried escaping like below but its confusing me and not sure whether thats right:

$output .= '<div class="tab-pane" id="\'. $type .'\">';

That is not right. You don't need to escape there. You would only need to escape if your quotes are the same type. `'
';` — Rasclatt, Dec 18 '14 at 21:11
What are the contents of `$type` that you need to escape? Are you possibly looking for something like http://us1.php.net/manual/en/function.htmlentities.php? — WOUNDEDStevenJones, Dec 18 '14 at 21:12
Read up on HEREDOCs, string interpolation, HTML allowing varying quoting, or HTML5 mostly not requiring it anymore (in this case anyway). — mario, Dec 18 '14 at 21:15
You don't need to escape at all. But if your `$type` can contain double quotes, you will need to consider that to prevent your HTML from being broken in that case. — developerwjk, Dec 18 '14 at 21:40

score 3 · Accepted Answer · edited May 23 '17 at 12:15

3

Example 1: Variable between single quotes

If you use single quotes everything between them will always be treated as part of the string.

$output .= '<div class="tab-pane" id="' . $type . '">";

Example 2: Variable between double quotes (option 1)

If you have a variable that you want to pass in a string you can just put it in there if you use double quotes and de variable is nog 'touching' the other words. It should always have spaces.

$output .= "<p>i would like to $your_text_here with you.</p>";

Example 3: Escaping quotes in a string

Escaping characters in a string can be done by using a \ (backslash) before the character you want to escape.

$output .= "<div class=\"tab-pane\" id=\"example-id\">";

Example 4: Variable between double quotes without spaces next to it

You can place your variable between {} braces if you use double quotes (option 2)

$output .= "<div class=\"tab-pane\" id=\"{$type}\">";

This question was however already answered in Mixing PHP variable with string literal

edited May 23 '17 at 12:15

Community

1
1

answered Dec 18 '14 at 21:24

Marc van Nieuwenhuijzen

1,637
1
14
22

{$type} works but when I inspect the element it shows id="{$type}" and not the actual string. However the page shows correct string. Any clues? – user3312508 Dec 18 '14 at 21:28
@user3312508, Printing variables like `echo "{$type}";` only works with double quotes. It won't work with single like `echo '{$type}';` – developerwjk Dec 18 '14 at 21:35
Your last example you need to change the `'` to `"` still, at the end. – developerwjk Dec 18 '14 at 21:41
Sorry guys, it's late here. Should probably go to be. But I think my answer is spot on now :) – Marc van Nieuwenhuijzen Dec 18 '14 at 21:43
Well, one thing technically not correct is "If you use single quotes everything between them will always be treated as part of the string." Not so, if you use single quotes inside the string. Then you'd have to escape them. Like: `'o'reilly'` would be `'o\'reily'`. – developerwjk Dec 18 '14 at 21:47
Yes, but that is kind of obvious isn't it? Thanks anyway :) – Marc van Nieuwenhuijzen Dec 18 '14 at 22:02

score 2 · Answer 2 · answered Dec 18 '14 at 21:15

Your first block is doing string replacements, but then you use the ORIGINAL string, not the replaced one:

$output .= '<div class="tab-pane" id="' . $functionName . '">';

would be more correct. On the second one, you're escaping the ' quotes, which means that you never terminate the string, meaning that the . $type . portion is treated as plaintext within the string, not a PHP concatenation operation. Try

$output .= '<div class="tab-pane" id="' . $type . '">';

instead. note the LACK of backslash escapes.

And of course, you could use a HEREDOC, eliminating any need to escape quotes entirely:

$output .= <<<EOL
<div class="tab-pane" id="{$functioName}">
EOL;

developerwjk · Answer 3 · 2014-12-18T21:51:14.543

In this case, you don't need to escape at all. You only escape within the same type of quotes. You don't escape double inside single or single inside double.

So with 'o'reilly' you would escape like 'o\'reily'. But with "o'reilly" you'd just keep it as "o'reilly". But with "He said "hello"" you'd escape "He said \"hello\"". Yet, with 'He said "hello"' you would not escape at all.

But if your $type variable can contain double quotes, you will need to consider that to prevent your HTML from being broken in that case. How you would handle the quotes inside the variable $type would be by replacing the " with its HTML entity equivalent:

$output .= '<div class="tab-pane" id="' . str_replace('"', '&quot;', $type) . '">';

Or use htmlentities() which will do the same replace as well as others.

Note, its the double quotes inside the variable you would want to handle, not to escape the single quotes outside. Because presumably the issue is that if the variable contained double quotes it would break your HTML since you are using double quotes around the value for id:

i.e. id="contents_of_type_variable"

If you had id="contents"_of_type_variable" your HTML would be broken.

So you change that to id="contents"_of_type_variable"

If you're trying to escape something else, it is due to a misunderstanding.

Escape string with PHP and HTML

3 Answers3

Linked