5

All of the following commands work but which one is considered correct in terms of security, compatibility, speed, and other conventions? 

//one
echo "$row->first_name $row->last_name <br />";

//two
echo $row->first_name . ' ' . $row->last_name .'<br />';

//three
echo $row->first_name;
echo $row->last_name;
echo '<br />';
CyberJunkie
  • 21,596
  • 59
  • 148
  • 215

7 Answers7

7

Although not one of the styles you specified, I recommend using braces for echo-ing strings, mostly on compatibility note.

echo "Welcome back, {$row->first_name} {$row->last_name}";

More information about this type of syntax can be found in PHP Strings.

drfranks3
  • 667
  • 8
  • 21
4

There's absolutely no difference in terms of security among the choices you posted. I'd go for something along the lines of:

<p class="name"><?php echo htmlspecialchars("$row->first_name $row->last_name"); ?></p>
  • no <br />, they're not usually a good choice
  • do your styling in CSS using classes
  • escape output (security!!)
  • separate HTML from PHP values
  • minimal syntax
  • the speed difference won't matter
deceze
  • 510,633
  • 85
  • 743
  • 889
  • For "separate HTML from PHP values", you might want defer to D Franks's answer. IE `{$row->thing}s` vs. "undefined property" `$row->things`. – bob-the-destroyer Jun 30 '11 at 01:41
  • @bob There's no ambiguity in this case, so it doesn't make a difference. If you were to "pluralize" your strings, sure, that'd be a valid concern. Also, where's HTML involved there? – deceze Jun 30 '11 at 01:42
  • I think this case might be intended to be ambiguous (a random example of object properties embedded in strings), so a generalized answer (a combination of yours plus mention of D Franks's) may be best. This is just my opinion though. Re: "where's HTML involved there", it's the "s" referring to the final/actual text output. I may have misunderstood though. – bob-the-destroyer Jun 30 '11 at 02:02
2

all of them are fine.

in terms of speed, the first option is probably the fastest but also the most annoying to read.. third one is just dumb.

I'd go with the second one because that's how I've seen it used in commercial php software

Athlon1600
  • 73
  • 3
  • 8
  • 1
    The first option is probably *slowest*, since PHP has to parse the string for variable substitutions. – deceze Jun 30 '11 at 01:27
  • @deceze, would the slowness be detected by humans? Or is it notable if echoing the string multiple times in a loop? – CyberJunkie Jun 30 '11 at 02:07
  • 1
    @Cyber If in doubt, *profile* it both ways, but it's hard to image you'd ever get into a situation where you'd really notice it. – deceze Jun 30 '11 at 02:15
1

All of them are fine as long as you have everything escaped/encoded properly. I'd go with the first one because it's the shortest and easiest to read.

Edit: I just did a small benchmark, and the second method is the slowest. The first method is the second-slowest. The third method is the fastest of the ones you posted, but the one Sinan suggested was about as performant.

icktoofay
  • 126,289
  • 21
  • 250
  • 231
  • I benchmarked the different methods and posted my results but I'm not sure how accurate they are. If anyone else wants to benchmark it, please do so. – icktoofay Jun 30 '11 at 01:42
1

Number one is the best option, it is readable and most likely the fastest despite PHP having to parse for variables (compared to multiple concatenation). The SO Question here demonstrates how concatenation can slow you down. The third option is just plain unreadable, and relatively slow due to the concatenation at the end. None of them have any kind of security issues, and even the performance gains are really negligible - for this kind of thing your goal should be readability.

Community
  • 1
  • 1
  • Concatenation is faster than parsing: http://codepad.org/tXU5LAkQ. The question you link to compares non-concatenation vs. concatenation, not concatenation vs. parsing. – deceze Jun 30 '11 at 01:39
  • 1
    @deceze Variables only need to be parsed once, multiple concatenation builds up - it might not occur in his example, but in more complex strings parsing will be faster. –  Jun 30 '11 at 01:43
  • OK, granted, for massive concatenations of many strings parsing may be faster. In the end it doesn't really matter though at all for tiny strings on this scale. – deceze Jun 30 '11 at 01:47
1

I would say that being more explicit is the best way to go. I would also expect it to take longer for PHP to parse 1 because it has to determine if the tokens are variables inside the string or just part of the string. I lean towards 2, but sometimes you may have to split your strings into new lines because of keep things under something like 72 columns in keeping with code styling guidelines. What I would suggest is to look up different code style guides like the one for Zend (http://framework.zend.com/manual/en/coding-standard.coding-style.html).

David
  • 1,674
  • 1
  • 21
  • 35
1

As others have said, there is no difference in security just speed/preference.

But one thing to add, don't escape output on the fly. It's better to filter it before it get stored in the database (single request) then keep doing it for every single request in the future.

Aleksey Korzun
  • 680
  • 4
  • 7