Home » Php » Advantages / inconveniences of heredoc vs nowdoc in php

Advantages / inconveniences of heredoc vs nowdoc in php

Posted by: admin April 23, 2020 Leave a comment


As a newbie, I have been advised to preferably use heredoc compared to too many nested codes (see Unexpected T_ELSE in php code).

But I can’t manage to understand if there is a significant difference between heredoc and nowdoc.

What would be the advantages for heredoc and nowdoc compared to the other one that would be important for a newbie to understand (i.e. not very minor advantages but important to understand for me).

How to&Answers:

Nowdocs are to single-quoted strings what heredocs are to double-quoted strings. A nowdoc is specified similarly to a heredoc, but no parsing is done inside a nowdoc. The construct is ideal for embedding PHP code or other large blocks of text without the need for escaping.


In other words:

$foo = 'bar';

$here = <<<HERE
    I'm here , $foo !

$now = <<<'NOW'
    I'm now , $foo !      

$here is “I’m here , bar !”, while $now is “I’m now , $foo !”.

If you don’t need variable interpolation but need special characters like $ inside your string, Nowdocs are easier to use. That’s all.


1. heredocs text behaves just like a double-quoted string, without the double quotes.
2. Quotes in a heredoc do not need to be escaped, but the escape codes \n linefeed,
\r carriage return,
\t horizontal tab, \v vertical tab, \e escape, \f form feed, \ backslash,\$ dollar sign,\” double-quote
can still be used. Variables are expanded, but the same care must be taken when expressing complex variables inside a heredoc as with strings.

Example :

$heredoc_exmaple= <<<HEREDOC
\n ,\r ,\t ,\r ,\v ,\e ,\f ,\ , \ ,$89 ,$ , $myname , ' , $myname ,  \" ,\'
echo $heredoc_exmaple;

//OUTPUT \n ,\r ,   , ,\v ,\e , ,\ , \ ,$89 ,$ , Tikku , ' , $myname , \" ,\'

1. nowdocs text behaves just like a single-quoted string, without the single quotes.
2. Quotes in a nowdocs do not need to be escaped.Variables are not expanded in it.Advantage of nowdocs is embedding PHP code and escape codes without the need for escaping.

Example :

$nowdoc_exmaple= <<<'NOWDOC'
\n ,\r ,\t ,\r ,\v ,\e ,\f ,\ , \ ,$89 ,$ , $myname  , ' , $myname ,  \" ,\'

echo $nowdoc_exmaple;

//OUTPUT \n ,\r ,\t ,\r ,\v ,\e ,\f ,\ , \ ,$89 ,$ , $myname , ' , $myname , \" ,\'

Syntax: A nowdoc is identified with the same <<< sequence used for heredocs, but the identifier which follows is enclosed in single quotes, e.g. <<<‘NOWDOC’. All the rules for heredoc identifiers also apply to nowdoc identifiers, especially those regarding the appearance of the closing identifier.


Nowdoc is great when you don’t want to deal with quoting and unquoting complex strings, since it won’t interpret any quotes and it won’t accept variables. As such, it’s well suited to manually displaying actual code snippets!

However, if you’re using a mix of heredocs and nowdocs for blocks of string content, which is an easy temptation to fall into, you could easily run into XSS (cross site scripting) problems where-ever you use heredoc! As such, this approach is just not clean enough for me to recommend to a developer starting out in php! Instead, you should be trying to use templates (of whatever kind, or whatever template engine you like), for these large blocks of information. After all, you don’t want html in your php, and you -certainly- don’t want user-injected javascript, like:

$username = '<script>alert(document.cookie.toString())</script>';

$insecure_example = <<<HERE
    I really like having my site exploited, $username

So don’t use HEREDOCS and NOWDOCS in the place of a proper templating approach or a templating engine.

Where-ever there is an interface between languages or technologies, you have to encode. php to sql? bind. php to html? encode. http to php?