Single or double quotes in PHP?

Question

In general which is safer to use, with regards to XSS evasion in particular?

echo '<input name="'.$input_name.'">';
echo "<input name='$input_name'>";

I'm guessing single quotes, but wondering why & hoping to find recommended reading.

score 4 · Accepted Answer · answered Apr 18 '18 at 17:46

It doesn't make a difference if used correctly.

The first version is standard though. Single quotes are less often used around HTML attribute values, so you need to be a bit more careful when using various functions meant to protect against XSS, as they may not necessarily take this case into consideration.

htmlspecialchars for example does not encode ' by default, you need to specifically set ENT_QUOTES. Any custom function your project or framework may use may have the same problem.

score 1 · Answer 2 · answered Apr 18 '18 at 18:13

1

Even if you use " in PHP you don't need to use ' in HTML. I'd recommend

echo "<input name=\"$input_name\">";

or even

echo "<input name=\"".$input_name."\">";

answered Apr 18 '18 at 18:13

Esa Jokinen

16,100
5
50
55

Single or double quotes in PHP?

2 Answers2