4

Often when writing PHP I'll have it output some HTML like this -

echo "<a href="../" title="link title">".$link_text."</a>";

Obviously this won't parse as I need to escape the double quotes in the attributes of the <a> element. Is there a regex that would quickly do this rather than me manually adding the backslashes?

One other thing - the regex shouldn't escape double quotes outside of the tag (e.g. where I've appended the $link_text variable.

Any ideas?

Phil
  • 371
  • 1
  • 4
  • 13

6 Answers6

14

You should just use single-quotes instead:

echo '<a href="../" title="link title">' . $link_text . '</a>';
Greg
  • 316,276
  • 54
  • 369
  • 333
  • 1
    I disagree with htmlspecialchars inline when printing, by the time you print all arguments should already be clean. – joebert Jul 08 '09 at 10:13
  • anyway, @joebert, htmlspecialchars must be used before printing :) – Maciej Łebkowski Jul 08 '09 at 10:38
  • Thanks - looks like switching to single quotes is the simple (and possibly fastest?) solution. Also - appreciate the concern about cleaning output using htmlspecialchars(). I left it out of the example code for clarity. – Phil Jul 08 '09 at 10:53
  • yes, most likely the single quotes method would be the fastest – Maciej Łebkowski Jul 08 '09 at 11:47
  • in addition, you can use "," instead of "." with echo. this will avoid string concatenation and will be even faster (works only with echo) – Maciej Łebkowski Jul 08 '09 at 11:48
  • "I left it out of the example code for clarity" -- please don't do this! It causes bad practises by newbies who just copy and paste code from examples. – Peter Boughton Jul 08 '09 at 12:53
8

Solutions I can come up with (not without escaping):

  • Single quotes

    echo '<a href="../">' . $link_text. '</a>';

  • Use double quotes

    echo "<a href='../'>$link_text</a>";

  • Sprintf

    echo sprintf('<a href="../">%s</a>', $link_text);

  • Use HEREDOC

    echo <<<EOF
<a href="../">$link_text</a>
EOF;

  • Use template engine like smarty

  • Exit PHP-mode:

    ?><a href="../"><?php echo $link_text ?></a><?php // other code...

BTW, be sure to use htmlspecialchars() on $link_text variable, or you’ll have a XSS security hole.

Maciej Łebkowski
  • 3,837
  • 24
  • 32
  • Thanks - looks like switching to single quotes is the simple (and possibly fastest?) solution. Also - appreciate the concern about the cleaning output using htmlspecialchars(). I left it out of the example code for clarity. – Phil Jul 08 '09 at 10:52
5

Use (This syntax dont worry about quotes etc)

echo <<<EOT
<a href="../" title="link title">$link_text</a>
EOT;
Ish
  • 28,486
  • 11
  • 60
  • 77
3

I'd strongly suggest using templating instead of trying to build strings.

In raw PHP:

<a href="../" title="link title"><?php echo $link_text; ?></a>
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    Point taken - though there's times when I just want to quickly output a small string of HTML (from say a function or method) and using a templating engine is a bit overkill. – Phil Jul 08 '09 at 10:58
0

use single quotes or use heredoc. I'd prefer the last.

loler
  • 2,594
  • 1
  • 20
  • 30
0

I think you can use

http://www.example.com/.../Learning-Tutorials/ACTIVE-USER-ACCOUNT/verify.php?email='.$email.'&hash='.$hash.'

"<a href="//www.example.com/.../Learning-Tutorials/ACTIVE-USER-ACCOUNT/verify.php?email="$email&hash=$hash>Click Here to Active</a>"

try it.

Christian Gollhardt
  • 16,510
  • 17
  • 74
  • 111
user1600211
  • 1