Should I use curly brackets or concatenate variables within strings?

PhpConcatenationCurly Braces

Php Problem Overview

Is there an advantage or disadvantage to concatenating variables within strings or using curly braces instead?

Concatenated:

$greeting = "Welcome, " . $name . "!";

Curly braces:

$greeting = "Welcome, {$name}!";

Personally, I've always concatenated my strings, because I use UEStudio, and it highlights PHP variables with a different color when concatenated. However, when the variable is not broken out, it does not. It just makes it easier for my eyes to find PHP variables in long strings, etc.

People are confusing this about being about SQL. This is not what this question is about. I've updated my examples to avoid confusion.

Php Solutions

Solution 1 - Php

All of the following does the same if you look at the output.

  1. $greeting = "Welcome, " . $name . "!";
  2. $greeting = 'Welcome, ' . $name . '!';
  3. $greeting = "Welcome, $name!";
  4. $greeting = "Welcome, {$name}!";

You should not be using option 1, use option 2 instead. Both option 3 and 4 are the same. For a simple variable, braces are optional. But if you are using array elements, you must use braces; e.g.: $greeting = "Welcome, {$user['name']}!";. Therefore as a standard, braces are used if variable interpolation is used, instead of concatenation.

But if characters such as tab (\t), new-line (\n) are used, they must be within double quotations.

Generally variable interpolation is slow, but concatenation may also be slower if you have too many variables to concatenate. Therefore decide depending on how many variables among other characters.

Solution 2 - Php

Although not dealing with injection attacks (including SQLi), it should at least be noted -- especially for PHP devs -- that using any of the above techniques without first encoding and validating all inputs will lead you to an injection-based attack.

It is important to remember security at the beginning of coding -- not the end when all of the code needs to be redone to comply with security requirements. Or, when you finally get this dang " vs. ' war down and realize that it doesn't matter because you are susceptible to XSS using either technique without properly encoding and validating all inputs.

  1. Encode using urlencode() or htmlenities() to normalize the input(s).
  2. Use data-typing for non-strings OR dictionary-lookup and/or regular expressions for strings to validate.
  3. Profit?

Solution 3 - Php

With pre-comiled PHP (Bytecode Cache) it makes no difference.

This feature come with PHP 5.5 (Zend Optimizer+).

Categories
Recommended Php Solutions
Recommended Concatenation Solutions
Recommended Curly Braces Solutions

Previous Solution:

Windows: What happens if I finish drive letters? (they are 26!)

WindowsDrive

Next Solution:

How to write JPQL SELECT with embedded id?

JavaJpaJpqlComposite Key

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionMichael IrigoyenView Question on Stackoverflow
Solution 1 - PhpAmil WaduwawaraView Answer on Stackoverflow
Solution 2 - PhpIt DoesntMatterAnywayView Answer on Stackoverflow
Solution 3 - PhpalexwenzelView Answer on Stackoverflow