[nycphp-talk] New to group and array question
Chris Shiflett
shiflett at php.net
Sun Sep 10 20:58:37 EDT 2006
David Krings wrote:
> I am new in this group.
Welcome. :-)
> I always stumble across an odd thing with arrays. I read in
> many documentations and books that one should use the single
> quotes when referencing to an array element, such as
> $array['element'].
I'm happy to see that you're questioning, but not discarding, PHP dogma.
> Generally, this works fine and I use it that way, but it
> always fails when using it in echo or header statements (and
> probably a few others).
Two things:
1. Quoting an array element inside a quoted string can be done with
curly braces:
"Once upon a {$myarray['time']}, ..."
2. If the arrays you're talking about are superglobals like $_GET and
$_POST, both of your examples probably demonstrate security
vulnerabilities. Using raw input in an echo creates a cross-site
scripting (XSS) vulnerability. Using raw input in a call to header()
creates an HTTP response splitting vulnerability.
> What is the significance of the single quotes? What is the
> expert advice on using or not using them?
When you don't use them, your syntax indicates that the array key is a
constant. If that constant doesn't exist, PHP will try treating the name
of the constant as a string, in case that's what you really meant. The
result is that it will "work" most of the time, but it's not completely
reliable (what if there happens to be a constant by that name?), and
it's very ugly regardless.
Hope that helps.
Chris
--
Chris Shiflett
Principal, OmniTI
http://omniti.com/
More information about the talk
mailing list