Geek Answers Handbook

Mixing html and php variables inside an echo expression

This may be the problem of my problem using single and double quotes in one expression. But I have this piece of code:

echo '<form> <input type="submit" value="$number" onClick="function();"> </form>'

The problem is that the submit button says the phrase $number instead of the value of this variable.

So, I looked around and found this solution:

 echo "<form> <input type='submit' value='$number' onClick='function();'> </form>

This correctly displays the value of $ number, but I'm used to using single quotes around my echo statements and would like to store it that way. Why does simply switching all single quotes to doubles and doubling in singles fix the problem? And is there a modification of the first bit of code that would allow me to store single quotes in the echo and double quotes for attributes?

+4
source share
7 answers

In PHP, double quotes are automatically parsed for any variables contained inside, but single quotes are not. Therefore:

 $myVar = 21; echo "myVar: $myVar"

This displays the text: myVar: 21

While:

 $myVar = 21; echo 'myVar: $myVar'

This prints the text: myVar: $myVar

One problem with your code is that in HTML element attribute values ​​must be enclosed in double quotes, not single quotes. I know that some browsers will take this form (or even no quotes at all), but this is not the right method.

There are various ways to achieve what you want.

First method: escaping strings with two quotes:

 $myVar = 21; echo "<div id=\"$myVar\"></div>";

While this may be a rather inelegant solution, it will work.

Method two: use string concatenation with single (or double) quotation marks:

 $myVar = 21; echo '<div id="' . $myVar . '"></div>';

This offers a better IMO solution because you can use function calls or any other PHP code there if you want.

Attention:

Please note that when you are not sure about the contents of $myVar (i.e. the user enters it), its direct HTML code is a cross-site scripting (XSS) security vulnerability. Imagine that the user enters something like this:

 lol"><script>alert('XSS!');</script></div><div id="lol2

This will result in the following content as a result of the HTML code:

 <div id="lol"><script>alert('XSS!');</script></div><div id="lol2"></div>

This is just a good example, but an attacker can easily use the same technique to steal a user's cookies (to pretend that they are logged in as that user). The message here is that if you are not 100% sure of the contents of a variable, do not paste it directly into the HTML code. Instead, call htmlspecialchars($myVar) . This will result in the following:

 $myVar = $_POST['whatever']; echo '<div id="' . htmlspecialchars($myVar) . '"></div>';
+8
source

In PHP, variables inside double quotes are processed and evaluated, and in single quotes everything is treated as part of a string.

The best explanation is here: http://www.trans4mind.com/personal_development/phpTutorial/quotes.htm

double quote example from the above link:

 $something="Oh something"; echo "My answer is $something.<br>"; //result is: My answer is Oh something

An example of a single quote from the above link:

 echo 'My answer is $something.<br>'; //result is: My answer is $something.
+1
source

When you use a single quote, everything inside is taken literally, except for single quotes. When using double quotes, everything starting with a dollar sign ($) is considered a PHP variable. When using variables, I usually prefer to run an echo with a double quote.

+1
source

If you want to use single quotes, you will need to use the append operator (period).

 echo '<form> <input type="submit" value="' . $number . '" onClick="function();"> </form>';
+1
source

You could just do it and avoid the whole song and dance. I think reading is easier.

 <form> <input type="submit" value="<?php echo $number; ?>" onClick="myFunction()"> </form>
+1
source

PHP distinguishes between single and double quotes as different things. Single quotes are literals, you want them to appear as they are. Double quoted strings must be interpreted (scanned) for any PHP variables and associated changes.

This is just a feature (and useful) of the language. I would recommend you use double quotes for strings in all languages. There is no language where this is unacceptable, but in statically typed languages ​​(C, C ++, Java, ...) single quotes indicate a character, and double quotes indicate a string. That is, String foo = 'my string'; will be a bug in Java, like char * foo = 'my string'; in C or C ++. However, char foo = 'a'; valid as String foo = "my string";

Only if you need to execute the last nanoseconds of performance with PHP can you go through and convert double-quoted strings to single-quoted ones. In other languages, this does not matter. Afaik, PHP is the only language that makes this string specification double and single quotes.

0
source

PHP performs the so-called variable double-quoted string interpolation, which means that strings are searched for any variables that they may contain, whose values ​​are substituted into the string. If you want to keep single quotes, you will need to concatenate your strings and variables together like this:

 echo '<form> <input type="submit" value="' . $number . '" onClick="function();"> </form>';

Or, if you want to keep double quotes, you can avoid the double quotes that you want to print:

 echo "<form> <input type=\"submit\" value=\"$number\" onClick=\"function();\"> </form>"
0
source

More articles:


All Articles