Ken Ward's PHP Tutorial

Quotes - Single and Double

Topics on this page:
  1. Escaping with the Backslash
  2. Demonstrating Bits of Code
  3. Line Spanning with Double Quotes
  4. Code is Evaluated within Double Quotes
  5. Heredoc Syntax
  6. Reference

In javascript, you can use either single (') or double (") quotes and they behave the same. In php, it is different. Double quotes and single quotes aren't exactly the same.

$something="Oh something";

echo "My answer is $something.<br>";

//result is: My answer is Oh something

In the above, using double quotes, the variable $something is evaluated within the quotes and the result isn't what is expected: the variable is evaluated to Oh something. Variables, but not functions or constants, are evaluated even when enclosed in double quotes.

echo 'My answer is $something.<br>';

//result is: My answer is $something.

When single quotes are used, as above, the variable isn't evaluated and is printed on the screen literally as $something.

Escaping with the backslash \

The backslash character (\) can be used to escape quotes and variables. The next example repeats the idea that things are evaluated within double quotes:

$something="Oh something!";

echo "My answer is $something";

//result: My answer is Oh something!

So nothing new here, just a reminder. Next we use the backslash to escape the variable $something and also the double quotes around "is":

echo "<br>";

echo "My answer \"is\" \$something";

//result: My answer "is" $something

The program doesn't crash on finding more double quotes, but understands that these are just to emphasise "is". And the program does not explode $something, but prints it literally, because it is escaped.

Demonstrating Bits of Code

Consider the following:

echo "My answer \\\"is\\\" \\\$something=My answer \"is\" \$something";

//result: My answer \"is\" \$something=My answer "is" $something

In order to show a backslash, we need to double it "\\". In the above, we also need a backslash to escape. Therefore we have three backslashes before the double quotes which we want to escape, and also three before the first occurrence of $something. Therefore, none of "My answer \\\"is\\\" \\\$something=" is evaluated and so we see the code. That is, we see "My answer \"is\" \$something=". The next part is the code we want to run, which results in "My answer "is" $something "

Line spanning with double quotes

Another peculiarity about double quotes is shown below:

echo "This is a line

and so is this<br>";

//writes This is a line and so is this

This doesn't produce a broken string error. The quotes are quite happy to transverse several lines.

Code is evaluated within double quotes

Code within double quotes is evaluated. For instance:

$something='<script>alert("You have a big nose!")</script>';

echo "(Double quotes) My answer is .$something<br>";

//result is: (Double quotes) My answer is

//this result comes after the nasty alert!

The programmer expected to get a string variable in $something from the Internet, but got some nasty code instead. The variable within double quotes is evaluated and runs as a javascript program!.

Removing HTML special characters (including brackets)

PHP has a function called htmlspecialchars which changes some HTML to special characters, which do not run as a program.

$something='<script>alert("You have a big nose!")</script>';


echo "My answer is $something<br>";

//result is: My answer is <script>alert('You have a big nose!')</script>

//That is, just the literal code and no program.

htmlspecialchars changes, for instance, the bracket (<) to &lt;, which shows up as a bracket, but doesn't function as such to run code.

As a cautionary note, consider this bit of code:

$something="<script>alert('You have a big nose!')</script>";

echo "My answer is htmlspecialchars($something)<br>";

//My answer is htmlspecialchars() AND the script runs!

Whilst variables in double-quotes will be evaluated the function, in the above is not evaluated, and the script produces "My answer is htmlspecialchars()". And the alert runs! Of course, while php knows that something is a variable (because it starts with a $), it doesn't know that htmlspecialchars is a function and treats it as a string. It does, however, evaluate the variable ($something) and causes the bad script to run. The following fixes this:

//My answer is htmlspecialchars() AND the script runs!

$something="<script>alert('You have a big nose!')</script>";

echo "My answer is htmlspecialchars ".htmlspecialchars($something)."<br>";//note this line is wrapped by the browser

//result: My answer is htmlspecialchars <script>alert('You have a big nose!')</script>

The function, htmlspecialchars, is kept outside the quotes and joined to the rest of the string using the dot (.), concatenation operator. Another use of the concatenation operator is with constants.


An alternative to using quotes is to use heredoc syntax (<<<). Begin by writing the "<<<" followed by the terminator label (which can be any valid label, I used "te"). Then write the string and finally, on a new line write the terminator. The contents of the string are evaluated. For instance

echo <<<te //te is an arbitrary label

Just here we have

some text which can

be evaluated including $something

te; //finally repeat the label

//result: Just here we have some text which can be evaluated including Oh something!



PHP Manual Language Types