php - no need to escape variables when echoing?

Question

So I was just goofing off, when I realized I hadn't escaped my variables I was wanting to echo, but the weird thing is that it works.

$item = ['name'=>'jeremiah', 'age'=>'22'];

echo "<ul>";
foreach($item as $key => $value) {
    echo "<li> $key - $value</li>";
}

echo "</ul>";

when what you should have to do is this

$item = ['name'=>'jeremiah', 'age'=>'22'];

echo "<ul>";
foreach($item as $key => $value) {
    echo "<li>" . $key . " - " .  $value . "</li>";
}

echo "</ul>";

It's been a few years since I have really done much php, but when did this change?

PHP 7.2.2 (cli) (built: Jan 31 2018 19:31:15) ( NTS MSVC15 (Visual C++ 2017) x64 )

This is generally referred to as "String interpolation" btw. You can probably search the PHP docs for that. — Carcigenicate, Jun 06 '18 at 14:24
"but when did this change?" — As far as I know: Never. PHP has always supported string interpolation. — Quentin, Jun 06 '18 at 14:26
In double quotes that'd work as expected. In single quotes that still wouldn't function as you'd expect. You'd get the literal variables. You also could be open to XSS injections but I don't think that is what this question is about. Neither example is escaping anything — user3783243, Jun 06 '18 at 14:27
How would you cross site attack something that doesn't except user input and has hard code variables? I mean if I was going to accept user input I would be writing something more like this $name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING); but if I am hard coding variables where nothing is user accessible, I am not sure why I would need to escape anything... correct me if I am wrong, always willing to learn — Jeremiah S., Jun 06 '18 at 14:31

score 2 · Accepted Answer · answered Jun 06 '18 at 14:23

2

When you put a variable inside double quotes it will resolve the value. This has always been the case.

So:

echo "<li> $key - $value</li>";

And

echo "<li>" . $key . " - " .  $value . "</li>";

Will give you the same result.

answered Jun 06 '18 at 14:23

Mr Glass

1,186
1
6
14

okay, guess I am just out of practice and or easily confused, been about 10 - 12 years since I have been an actual developer. – Jeremiah S. Jun 06 '18 at 14:26

treyBake · Answer 2 · 2018-06-06T14:37:46.723

there are a few things to note:

double quotes will print variable within the string:

$var = 'hello';
echo "$var world"; # this will print hello world

single quotes will not print variable value within the string:

$var = 'hello';
echo '$var world'; # this will print $var world

What you're after (or thought you were after) was concatenation which simply means joining, like this:

$varOne = 'hello';
$varTwo = 'world';

echo $varOne. ' ' .$varTwo. ' - some other string'; # will print hello world - some other string

The best practice is single quotes and concatenation, this is due to being able to clearly see when a variable is being used in a string, the third option is much clearer to read than the first. Also, single quotes execute faster than double quotes (not by much, by it does add up).

kamadori · Answer 3 · 2018-06-06T14:32:04.397

0

For what I know, when I started studying PHP (5years ago), between double quotes, you can echo a variable, but not between single quotes.

edited Jun 06 '18 at 14:32

answered Jun 06 '18 at 14:27

kamadori

9
3

1

The URL you reference has nothing to do with the question. – Quentin Jun 06 '18 at 14:28
I removed it. There were example of various way of echoing a variable with php (concatenation, between double quotes, curly brackets), even if it was not the main subject of page... – kamadori Jun 06 '18 at 14:42

php - no need to escape variables when echoing?

3 Answers3