NYCPHP Meetup

NYPHP.org

[nycphp-talk] New to group and array question

Chris Shiflett shiflett at php.net
Sun Sep 10 20:58:37 EDT 2006


David Krings wrote:
> I am new in this group.

Welcome. :-)

> I always stumble across an odd thing with arrays. I read in
> many documentations and books that one should use the single
> quotes when referencing to an array element, such as
> $array['element'].

I'm happy to see that you're questioning, but not discarding, PHP dogma.

> Generally, this works fine and I use it that way, but it
> always fails when using it in echo or header statements (and
> probably a few others).

Two things:

1. Quoting an array element inside a quoted string can be done with
curly braces:

"Once upon a {$myarray['time']}, ..."

2. If the arrays you're talking about are superglobals like $_GET and
$_POST, both of your examples probably demonstrate security
vulnerabilities. Using raw input in an echo creates a cross-site
scripting (XSS) vulnerability. Using raw input in a call to header()
creates an HTTP response splitting vulnerability.

> What is the significance of the single quotes? What is the
> expert advice on using or not using them?

When you don't use them, your syntax indicates that the array key is a
constant. If that constant doesn't exist, PHP will try treating the name
of the constant as a string, in case that's what you really meant. The
result is that it will "work" most of the time, but it's not completely
reliable (what if there happens to be a constant by that name?), and
it's very ugly regardless.

Hope that helps.

Chris

-- 
Chris Shiflett
Principal, OmniTI
http://omniti.com/



More information about the talk mailing list