|
|
Posted by Markus on 07/16/07 08:01
Michael Fesser schrieb:
> .oO(Markus)
>
>> Additionnally, if you want to be safe, you can just concatenate the string:
>> $sql = "SELECT * FROM foo WHERE bar='".$_SESSION['bar']."'";
>
> Sure, but IMHO this kind of defeats the purpose of double-quoted strings
> in PHP. When I see something like
>
> print "text ".$var." more text ".$anotherVar." and so on";
>
> or even worse
>
> print "<a href=\"".$url."\">".$text."</a>";
>
> then I'm getting...what's that in English - goose bumps (de: Gänsehaut)?
> It's just terrible and hurts the eye of an experienced programmer. Not
> to mention that jumping in and out of string parsing and mixing it with
> escaping and different quote signs is very error-prone.
I partially agree. Anyway I see nothing Gänsehaut-prone about
concatenating single-quoted strings, such as
print 'text '.$var.' more text '.$arr['foo'].' '.$obj->bar.'st time';
It is IMO a good habit if somebody does not want to run into the
questions discussed above, and there seem to be even performance reasons
for it:
http://www.php.net/manual/de/language.types.string.php#74627
But I admit, the above $sql example with double quotes originates in my
early insecureness about if double quotes would work inside an SQL
query, so I got used to double-quote those and use single quotes inside.
[Back to original message]
|