NYCPHP Meetup

[David Krings]

Hi!
         First of all, thank you for the great responses that pretty much 
cleared up my initial questions, but generated a few new ones. I will cut 
this digest down to some useful length (apologies to those who are hooked 
on thread IDs).

At 11:53 AM 9/11/2006, you wrote:
>    In general, yes, use single quotes.  Using double-quotes will cause
>PHP to interpret the string, and is necessary if the key has a variable
>in it, for example: $myarray["something_$var"], with $var=='foo', will
>get you the value of $myarray['something_foo'].

Single quotes it is.

>    While I'm not entirely sure about how you're echoing stuff, try just
>not putting the array reference inside the string.  Instead, use the
>concatenation operator ".":
>
>     echo 'You are ' . $user['username'] . '.  Last login: ' .
>$user['last_login']';

I echoed stuff this way:
echo "This is for $lovedones['wife']!";
That throws this parse error
parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or 
T_VARIABLE or T_NUM_STRING.
So, the correct(er) way is
echo "This is for ".$lovedones['wife']."!";
Duh! That apparently was just too easy to figure it out myself.

> > I always stumble across an odd thing with arrays. I read in
> > many documentations and books that one should use the single
> > quotes when referencing to an array element, such as
> > $array['element'].
>
>I'm happy to see that you're questioning, but not discarding, PHP dogma.

I always assume that there are good reasons for designing something that 
blatantly inconsitent. It is just that I don't know about it, which doesn't 
mean that it is wrong.

>1. Quoting an array element inside a quoted string can be done with
>curly braces:
>
>"Once upon a {$myarray['time']}, ..."

Ui! Curly braces. I haven't seen that one before, but a quick test shows 
that it indeed works (one of these I need to see it to believe it things). 
Will probably not become my most favourite way of doing this. I already 
know the concatenation stuff and understand what it does.

>2. If the arrays you're talking about are superglobals like $_GET and
>$_POST, both of your examples probably demonstrate security
>vulnerabilities. Using raw input in an echo creates a cross-site
>scripting (XSS) vulnerability. Using raw input in a call to header()
>creates an HTTP response splitting vulnerability.

Aha, no idea what that is. I do not want to design breakage into my script, 
so here quickly what I want to do. I use the header() mainly for redirects 
(and for turning off cache using code that I copied from the php.net site 
comments). In order to properly redirect I need to know what the root 
folder of my set of scripts is. As long as the directory hierarchy, the 
directory names, and the name of the start script stay intact it will not 
matter where on a server this block of files is located. On the first 
script I generate the redirect path section that I can use in all other 
scripts like this:
// Make path for redirects
$path = "http://";
$path = $path.$_SERVER['HTTP_HOST'];
$script = $_SERVER['PHP_SELF'];
$script = str_replace("/login.php", "", $script);
$path = $path.$script;

I then register $path with the session that I started earlier using
$_SESSION['sessionredirectpath'] = $path;

and use it later in scripts for redirects like this:
header("location:$_SESSION[sessionredirectpath]/administration/adminwelcome.php");

which really should be this:
header("location:".$_SESSION['sessionredirectpath']."/administration/adminwelcome.php");

[...] I read that stuff about the constants issue somewhere after I posted.

>3. NOT RECOMMENDED BUT USUALLY WORKS:  don't use the single quotation
>marks: echo "The $variable is $array[elementName]";

Yes, it works and in the worst case I can pick german variable names. 
Chances are the PHP folks will not introduce german keywords or constants. 
Besides the constants issue, is there anything else that makes not using 
the single quotes a bad idea? I ask because I use some scripts that I 
hacked together some time ago and for the time being they do their jobs. In 
case of some security issue I might want to pull them sooner than later.


>security that are around can tell you how to do this. If you are not
>working with these kinds of arrays, but rather with ones that you
>have created yourself, you may not need to worry about security
>issues in using them.

So you are saying that the way I described it above might be OK since I set 
the session variable myself, correct?


>I think this is very good advice, David. If there is one thing I learned
>about PHP, it is that PHP either makes rational sense or does not ;-) In
>other words, there is not much actual need to follow "dogma" if you
>understand how it works, except in those cases where PHP is kinda broke.
>The hard part is knowing when it is broke, and this list is a *great*
>resource for that. (please note I do suggest you follow best practices,
>because you can't recognize what is and isn't "dogma" unless you already
>know where all the real problems are).

Using the period as concatenation character is most likely one of those 
cases where PHP is broken, at least in my opinion. PHP is the only language 
that uses the period as far as I have seen. I have to admit that I haven't 
seen much in regards to programming. Actually, I hate programming, it is 
just that with PHP it is by far not so painful. And it is a good excercise 
for me as software tester to be not totally at the mercy of the developers.

>STATIC (i.e. to be used just as it is). In short just using 'single quote'
>and concatenation you can write 99% code in PHP. This is true everywhere
>in PHP whether you assign value to variables, print something, define
>array with elements, pass arguments to function/class methods or evaluate
>any expression. This is good practice throughout PHP and probably for all
>other languages. Let me demonstrate few examples.
>#1
>
>$as__name['first']='David';
>
>(Key of array has been quoted using 'single' quotes because key itself is
>static, same for value for that array i.e. 'David';
>
>#2
>
>if('David' == $as__name['first'])
>         echo 'Name is '.$as__name['first'];

The examples really helped understanding your point. I am sure that the 
vast majority of casual and even semi-professional PHP users always uses 
the double quote because this is how the official PHP documentation tells 
one to do. I just checked again and in the document topic about echo and 
only a single example shows it used with the single quotes. That though in 
combination with the note "Using single quotes will print the variable 
name, not the value", which for the newvbie sounds bad. The PHP documentors 
should use your example and explanation, it makes it easier somehow.

>Bottom line: There is not any MANDATORY use of "Double quotes" in PHP
>except in 1 case when:
>
>#a Special sequence like "\n", "\t", "\s" are to be expanded into New
>line, Tab and Space respectively.

Now, that really sucks, doesn't it? I can't come up with a better proposal 
without violation the "anything in single quotes is static" rule.

>In short "double quotes" tries to expand each and every part of the
>expression, which is not required mot of the time. Hope this will help you
>clear some basic level of evaluation of expressions.

         Yes, indeed it does and all your superb responses cleared up quite 
a bit of other things as well. Wow! I haven't learned that much about PHP 
in such a short time for quite a while. Thank you very very much and I hope 
I don't get beaten up over this quite lengthy response.

                 Best regards,

                                 David