About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

Quoting PHP Strings

Thu, 25 Aug 2005 at 23:45:54 GMT
6 Comments
References

PHP developers generally understand the difference between using single quotes versus double quotes to enclose a string. If you need stuff to be interpreted, you use double quotes. If you need to indicate a literal string, you use single quotes:

<?php 
 
$string = 'two'; 
 
echo '<p>one $string three</p>'; 
echo "<p>one $string three</p>"; 
 
?>

Do you know what this will output? I think most of you do. You'll see the variable name on the first line and its value on the second:

one $string three

one two three

Try this one:

<?php 
 
$one   = 'the\quick\brown\fox'; 
$two   = 'the\\quick\\brown\\fox'; 
$three = 'the\\\quick\\\brown\\\fox'; 
$four  = 'the\\\\quick\\\\brown\\\\fox'; 
 
echo "<p>$one</p><p>$two</p><p>$three</p><p>$four</p>"; 
 
?>

It surprises many people to see that this code produces the following:

the\quick\brown\fox

the\quick\brown\fox

the\\quick\\brown\\fox

the\\quick\\brown\\fox

Although it's not necessary to escape backslashes inside a string enclosed with single quotes, two consecutive backslashes are interpreted as one. Surprised?

If you want a string that contains single quotes, you need to escape them with a backslash (or enclose the string with double quotes:

<?php 
 
$name = 'O\'Reilly'; 
$name = "O'Reilly"; 
 
?>

What do you do if you need to have a backslash followed by a single quote in your string? You have to escape both:

<?php 
 
echo 'Escape single quotes like this: \\\''; 
 
?>

This will output the proper instructions for escaping a single quote:

Escape single quotes like this: \'

Therefore, within a string enclosed with single quotes, PHP needs to allow both single quotes and backslashes to be escaped. I'm not sure if this is explained very clearly in the manual:

To specify a literal single quote, you will need to escape it with a backslash (\), like in many other languages. If a backslash needs to occur before a single quote or at the end of the string, you need to double it. Note that if you try to escape any other character, the backslash will also be printed!

Hopefully it all makes more sense now. :-)

About This Post

Quoting PHP Strings was posted on Thu, 25 Aug 2005 at 23:45:54 GMT.

6 Comments

1. Chris Shiflett said:

By the way, I bring this up to help dissect criticisms of stripslashes() that use this as a test case:

echo stripslashes('chris\\shiflett');

This is actually the same as:

echo stripslashes('chris\shiflett');

Therefore, only one slash is really being stripped. If you want to argue that stripslashes() should only remove slashes that could have been added by addslashes(), that's fine, but don't use misleading test cases just to give your argument more weight.
Fri, 26 Aug 2005 at 02:05:51 GMT Link

2. Don Laur said:

Thanks. That was very helpful. You got me on that. I will have to keep note of that for the future.
Fri, 26 Aug 2005 at 15:49:43 GMT Link

3. Jesse Burns said:

What is the behavior of single/double quotes when it come to arrays? Namely $_GET and $_POST variables.

For example, using $_POST variable for output. Which of the following would be correct? Or would both be correct?

echo "Hello, $_POST['name'], I hope you have a wonderful day.";

echo 'Hello, $_POST[\'name\'], I hope you have a wonderful day.';

The following example is how I usually use arrays and strings, because I'm not sure of the ramifications of the above:

echo "Hello,".$_POST['name'].", I hope you have a wonderful day.";

Plus, are there any advantages performance/security wise between the different ways of displaying variables/arrays?
Fri, 26 Aug 2005 at 23:00:33 GMT Link

4. Chris Shiflett said:

Hi Jesse,

For arrays, you can use curly braces around the entire variable name:

echo "Hello, {$_POST['name']}.";

This comes in handy in other situations, too:

$prefix = 'un';

echo "This is {$prefix}believable.";

Hope that helps.
Sat, 27 Aug 2005 at 01:26:11 GMT Link

5. Intchanter said:

I prefer to use the "{$var}" style everywhere for consistency, as it makes it far less likely that an innocent edit sometime down the road will break something.

I also eschew concatenating with '.' where possible, as concatenating strings tends to be slow and the variable interpolation step happens to all the strings anyway. The times when it is not possible (without tricks) are when including a constant, or the results of a function or unbound method.
Tue, 22 Nov 2005 at 22:08:17 GMT Link

6. Stephen said:

But the behavior breaks down if you go any further. The stripslashes() and addslashes() behaviors don't actually make much sense.

'the\\\\\quick\\\\\brown\\\\\fox';

will ALSO be output as

the\\quick\\brown\\fox

as will:

'the\\\\\\quick\\\\\\brown\\\\\\fox'

However, this:

'the\\\\\\\quick\\\\\\\brown\\\\\\\fox'

will be output as:

the\\\quick\\\brown\\\fox

Now how does THAT make any sense???
Fri, 29 Dec 2006 at 02:46:43 GMT Link

Chris Shiflett wrote:: Glad it helped, Niall!; Posted in Git on Snow Leopard
Niall Kelly wrote:: Having tried other methods without success and looked through plenty of bloated documentation, th...; Posted in Git on Snow Leopard
liukang wrote:: I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...; Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:: Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...; Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock