Mixing html and php variables inside an echo statement

Question

This may be a problem of my trouble with using single and double quotes in one statement. But I have this piece of code:

echo '<form>
      <input type="submit" value="$number" onClick="function();">
      </form>'

The problem with this is that the submit button says the phrase $number instead of the value of that variable.

So I looked around and found this solution:

echo "<form>
      <input type='submit' value='$number' onClick='function();'>
      </form>

This outputs the value of $number correctly, but I am used to using single quotes around my echo statements and would like to keep it that way. Why does just switching all single quotes into doubles, and doubles into singles fix the problem? And is there a modification to the first bit of code that would allow me to keep the single quotes on echo, and double quotes on the attributes?

Answer 1

This outputs same to me

    echo '<link rel="apple-touch-icon-precomposed" sizes="57x57" href='. ${base_url_favicon} . '/apple-touch-icon-57x57.png />'."\n";
echo "<link rel='apple-touch-icon-precomposed' sizes='57x57' href='${base_url_favicon}/apple-touch-icon-57x57.png' />\n";

Answer 2

In PHP, double quoted strings are automatically parsed for any variables contained within, but single quoted strings are not. Therefore:

$myVar = 21;
echo "myVar: $myVar"

This outputs the text: myVar: 21

Whereas:

$myVar = 21;
echo 'myVar: $myVar'

This outputs the text: myVar: $myVar

One problem with your code is that in HTML, the values of elements' attributes must be enclosed in double quotes, not single quotes. I know that some browsers will accept this form (or even no quotes at all), but this is not the correct method.

There are various ways of achieving what you wish, correctly.

Method one: Escaping double-quoted strings:

$myVar = 21;
echo "<div id=\"$myVar\"></div>";

While this may be a rather inelegant solution, it will work.

Method two: Using string concatenation with single (or double) quoted strings:

$myVar = 21;
echo '<div id="' . $myVar . '"></div>';

This offers a better solution IMO because you can use function calls or any other PHP code in there if you wish.

WARNING:

Please note that when you aren't certain of the contents of $myVar (i.e. the user enters it in), putting it directly into HTML code is a security vulnerability in the form of cross-site scripting (XSS). Imagine the user enters something like this:

lol"><script>alert('XSS!');</script></div><div id="lol2

This will cause the resulting HTML code to contain the following:

<div id="lol"><script>alert('XSS!');</script></div><div id="lol2"></div>

This is just a benign example, but an attacker could easily use the same technique to steal a user's cookies (to pretend to be logged in as that user). The message here is that when you aren't 100% sure of the contents of a variable, don't insert it into HTML code directly. Instead, call htmlspecialchars($myVar). This would translate to the following:

$myVar = $_POST['whatever'];
echo '<div id="' . htmlspecialchars($myVar) . '"></div>';

Answer 3

You could just do this and avoid the whole song and dance. I think it is easier to read.

<form>
    <input type="submit" value="<?php echo $number; ?>" onClick="myFunction()">
</form>

Answer 4

In PHP, variables inside double quotes are processed and evaluated, while in single quotes everything is considered as part of the string.

A better explanation here: http://www.trans4mind.com/personal_development/phpTutorial/quotes.htm

double quote example from the above link:

$something="Oh something";
echo "My answer is $something.<br>";
//result is: My answer is Oh something

single quote example from the above link:

echo 'My answer is $something.<br>';
//result is: My answer is $something.

Answer 5

PHP performs what is called variable interpolation on double-quoted strings, which means that the strings are searched for any variables that they might contain, whose values are substituted in the string. If you want to keep the single quotes, you will need to concatenate your strings and variables together like so:

echo '<form>
<input type="submit" value="' . $number . '" onClick="function();">
</form>';

Or, if you want to keep the double quotes, you can escape the double quotes that you want to print:

echo "<form>
<input type=\"submit\" value=\"$number\" onClick=\"function();\">
</form>"

Answer 6

PHP differentiates between single and double quoted strings as being different things. Single quoted strings are literals, you want them output as is. Double quoted strings are to be interpreted (scanned) for any PHP variables and the appropriate replacements made.

This is simply a feature (and a useful one) of the language. I would actually recommend that you get used to using double quotes for strings in all languages. There is no language where it is unacceptable and in staticly typed languages (C, C++, Java, ...) single quotes indicate a character while double quotes indicate a string. That is, String foo = 'my string'; would error in Java as would char * foo = 'my string'; in C or C++. However, char foo = 'a'; is valid, as is String foo = "my string";

Only if you need to eke out the last nanoseconds of performance from PHP might you go through and convert double quoted strings to single quoted strings. In other languages it doesn't matter. Afaik, PHP is the only language that make this string specific double vs. single quotes distinction.

Answer 7

If you want to keep using single quotes, you'll need to use the append operator (a period).

echo '<form>
      <input type="submit" value="' . $number . '" onClick="function();">
      </form>';

Answer 8

When you use the single quote, everything inside is taken literally, except single quotes. When using double quotes, anything starting with a dollar sign ($) is assumed to be a variable by PHP. When using variables, I usually like to start the echo with a double quote.