Home » Php » php – Should I use curly brackets or concatenate variables within strings?

php – Should I use curly brackets or concatenate variables within strings?

Posted by: admin April 23, 2020 Leave a comment

Questions:

Is there an advantage or disadvantage to concatenating variables within strings or using curly braces instead?

Concatenated:

$greeting = "Welcome, " . $name . "!";

Curly braces:

$greeting = "Welcome, {$name}!";

Personally, I’ve always concatenated my strings, because I use UEStudio, and it highlights PHP variables with a different color when concatenated. However, when the variable is not broken out, it does not. It just makes it easier for my eyes to find PHP variables in long strings, etc.

People are confusing this about being about SQL. This is not what this question is about. I’ve updated my examples to avoid confusion.

How to&Answers:

All of the following does the same if you look at the output.

  1. $greeting = "Welcome, " . $name . "!";
  2. $greeting = 'Welcome, ' . $name . '!';
  3. $greeting = "Welcome, $name!";
  4. $greeting = "Welcome, {$name}!";

You should not be using option 1, use option 2 instead. Both option 3 and 4 are the same. For a simple variable, braces are optional. But if you are using array elements, you must use braces; e.g.: $greeting = "Welcome, {$user['name']}!";. Therefore as a standard, braces are used if variable interpolation is used, instead of concatenation.

But if characters such as tab (\t), new-line (\n) are used, they must be within double quotations.

Generally variable interpolation is slow, but concatenation may also be slower if you have too many variables to concatenate. Therefore decide depending on how many variables among other characters.

Answer:

Although not dealing with injection attacks (including SQLi), it should at least be noted — especially for PHP devs — that using any of the above techniques without first encoding and validating all inputs will lead you to an injection-based attack.

It is important to remember security at the beginning of coding — not the end when all of the code needs to be redone to comply with security requirements. Or, when you finally get this dang ” vs. ‘ war down and realize that it doesn’t matter because you are susceptible to XSS using either technique without properly encoding and validating all inputs.

  1. Encode using urlencode() or htmlenities() to normalize the input(s).
  2. Use data-typing for non-strings OR dictionary-lookup and/or regular expressions for strings to validate.
  3. Profit?

Answer:

With pre-comiled PHP (Bytecode Cache) it makes no difference.

This feature come with PHP 5.5 (Zend Optimizer+).