Should I use curly brackets or concatenate variables within strings?
With pre-comiled PHP (Bytecode Cache) it makes no difference.
This feature come with PHP 5.5 (Zend Optimizer+).
Although not dealing with injection attacks (including SQLi), it should at least be noted -- especially for PHP devs -- that using any of the above techniques without first encoding and validating all inputs will lead you to an injection-based attack.
It is important to remember security at the beginning of coding -- not the end when all of the code needs to be redone to comply with security requirements. Or, when you finally get this dang " vs. ' war down and realize that it doesn't matter because you are susceptible to XSS using either technique without properly encoding and validating all inputs.
- Encode using urlencode() or htmlenities() to normalize the input(s).
- Use data-typing for non-strings OR dictionary-lookup and/or regular expressions for strings to validate.
- Profit?
All of the following does the same if you look at the output.
$greeting = "Welcome, " . $name . "!";
$greeting = 'Welcome, ' . $name . '!';
$greeting = "Welcome, $name!";
$greeting = "Welcome, {$name}!";
You should not be using option 1, use option 2 instead. Both option 3 and 4 are the same. For a simple variable, braces are optional. But if you are using array elements, you must use braces; e.g.: $greeting = "Welcome, {$user['name']}!";
. Therefore as a standard, braces are used if variable interpolation is used, instead of concatenation.
But if characters such as tab (\t
), new-line (\n
) are used, they must be within double quotations.
Generally variable interpolation is slow, but concatenation may also be slower if you have too many variables to concatenate. Therefore decide depending on how many variables among other characters.