What does {$value} means inside of a curl post request?

Question

I have the following curl post request

   $Curl_Session = curl_init($url);
        curl_setopt($Curl_Session, CURLOPT_POST, count($post));
        curl_setopt($Curl_Session, CURLOPT_POSTFIELDS, "login={$username}&password={$password}");
        curl_setopt($Curl_Session, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($Curl_Session, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($Curl_Session, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($Curl_Session, CURLOPT_SSL_VERIFYHOST, false );
        curl_setopt($Curl_Session, CURLOPT_SSL_VERIFYPEER, false );     
        $request = curl_exec($Curl_Session);

what does the use of {} means? Can this request be vulnerable to xss ( i mean the login and password parameters)?

It's a curl request with the type set to application/json

Answer 1

http://php.net/manual/en/language.types.string.php

Complex (curly) syntax

This isn't called complex because the syntax is complex, but because it allows for the use of complex expressions.

Any scalar variable, array element or object property with a string representation can be included via this syntax. Simply write the expression the same way as it would appear outside the string, and then wrap it in { and }. Since { can not be escaped, this syntax will only be recognised when the $ immediately follows the {.

Yes, the way you're using it is vulnerable to injection. You're better passing an array of POST fields, like this:

curl_setopt($Curl_Session, CURLOPT_POSTFIELDS, ['login' => $username, 'password' => $password];