1

I use HTML code inside php like below :

            echo '<span class="input-group-addon"><i class="glyphicon 
             glyphicon-pencil w3-large" name="topic_subject"> subject</i>
             </span>
              <br />
              <textarea name="post_content" id="editor1"></textarea>
              <br />
              <div class="w3-col s1 m1 l1"><p></p></div>
              <div class="w3-left">
              <button class = "w3-button w3-xlarge tableButtons w3-middle" 
              id="save">save</button>
               &nbsp;&nbsp;
              <a onclick="history.go(-1);" class="w3-button w3-xlarge 
               tableButtons w3-left">cancel</a>  
              </div>                   
              </form>';

I use single quotes Then i use double quotes instead of backslash to escape . That's way is it safe or no ?

Beginner
  • 49
  • 8
  • I'm voting to close this question as off-topic because it is asking for a code review (and this thus too broad / opinion based). It could probably be adjusted to be on topic for [the code review stackexchange](http://codereview.stackexchange.com/help/on-topic). – Quentin Jun 03 '17 at 13:37
  • Safe in what matter? In the PHP way, yes, because you just echo a string. – Markus Zeller Jun 03 '17 at 13:57
  • Small correction, use mysqli_real_escape_string(), mysql is deprecated. Your code is 100% safe, don't worry, no problem when you only want to print text on page. – one_question Jun 03 '17 at 13:35

2 Answers2

0

It's safe indeed, but not because you use single quotes. Echoing this string would be the same result as making a normal html page. Outputting html from your php is usually safe as long as you know what you output.

Using single quotes does provide an advantage when posting a html string though, that is because with single quotes you don't have the escape the double quotes in your html.

E.g.: echo '<span class="input-group-addon">'; would become echo "<span class=\"input-group-addon\">"; if you were to use double quotes.

Using data directly from your html form to query or filter is a bigger risk because it's prone to SQL injection. For more information I'd like to refer you to an article on the PHP.net website on what it is and how to prevent it.

Asperitas
  • 339
  • 6
  • 13
  • "Using single quotes does provide an advantage when posting a html string though, that is because with single quotes you don't have the escape the double quotes in your html" — Swap every instance of "single" with "double" and that makes just as much sense. – Quentin Jun 03 '17 at 13:35
-1

This should be perfectly safe, since you're just outputting code. If you were taking code and storing it on a database, however, you should use mysql_real_escape_string() http://php.net/manual/en/mysqlinfo.api.choosing.php.

Just to be clear, this is an unofficial opinion and if some crazy new hack comes out, don't blame me! haha

Polymer
  • 1,108
  • 1
  • 9
  • 17
  • when i storing data in database i use prepared statements so i think it's safe without using mysql_real_escape_string() – Beginner Jun 03 '17 at 13:34
  • 1
    **Warning**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) which has been **removed** entirely from the latest version of PHP. You should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). – Quentin Jun 03 '17 at 13:34
  • Sorry, you are quite right, not sure what I was thinking with that one. Edited – Polymer Jun 03 '17 at 13:46