Normally when I code php i write things with interchanging quotes instead of breaking out of the quotes. Is this a security risk to the code and should I start breaking out of quotes instead of switching em? (examples below)

Interchanging quotes:
echo '<a href="blablabla">blablabla</a>';

Breaking out:
echo "<a href=\"blablabla\">blablabla</a>";

Marshall

AFAIK there is no any security risk unless you are using backtricks (" ` "). The fact is that the backtricks are also used as an alias for the exec() function wich allows you to run server jobs from the PHP scripts. This will run "bar" on server:


$foo = "/usr/bin/bar";
echo `$foo`;


Here is the quote from the Manual about the strings:

Syntax
A string literal can be specified in three different ways.

single quoted
double quoted
heredoc syntax

Single quoted

The easiest way to specify a simple string is to enclose it in single quotes (the character ').

To specify a literal single quote, you will need to escape it with a backslash (\), like in many other languages. If a backslash needs to occur before a single quote or at the end of the string, you need to double it. Note that if you try to escape any other character, the backslash will also be printed! So usually there is no need to escape the backslash itself.

Note:
Unlike the two other syntaxes, variables and escape sequences for special characters will not be expanded when they occur in single quoted strings.

Double quoted
If the string is enclosed in double-quotes ("), PHP understands more escape sequences for special characters:

Table 2.1. Escaped characters
sequence meaning
\n linefeed (LF or 0x0A (10) in ASCII)
\r carriage return (CR or 0x0D (13) in ASCII)
\t horizontal tab (HT or 0x09 (9) in ASCII)
\\ backslash
\$ dollar sign
\" double-quote
\[0-7]{1,3} the sequence of characters matching the regular expression is a character in octal notation
\x[0-9A-Fa-f]{1,2} the sequence of characters matching the regular expression is a character in hexadecimal notation

Again, if you try to escape any other character, the backslash will be printed too!

But the most important feature of double-quoted strings is the fact that variable names will be expanded. See string parsing for details.


So it turns out that the only difference is that the variables are not expanded in the single-quote case and less escape-characters are parsed.

If you have other concerns please share; I never thought about this before you asked...

I never knew that. Thanks a load guys...Have to go on and modify all my scripts now :banghead: :p

Glad it helped someone :)