56

Is there an advantage or disadvantage to concatenating variables within strings or using curly braces instead?

Concatenated:

$greeting = "Welcome, " . $name . "!";

Curly braces:

$greeting = "Welcome, {$name}!";

Personally, I've always concatenated my strings, because I use UEStudio, and it highlights PHP variables with a different color when concatenated. However, when the variable is not broken out, it does not. It just makes it easier for my eyes to find PHP variables in long strings, etc.

People are confusing this about being about SQL. This is not what this question is about. I've updated my examples to avoid confusion.

Improve this question
3
  • 1
    Duplicate of way too many questions, including stackoverflow.com/questions/1311368/… (this is more of a single vs double quote question, but then curly braces can only be used in double quoted strings anyway) Commented Jan 13, 2011 at 3:08
  • Yeah I seem to be the only one here who realizes your question isn't specifically about SQL (hence me saying "off-topic"). Commented Jan 13, 2011 at 3:49
  • 1
    PhpStorm correctly highlights the variables inside quoted in quotes separately. Commented Nov 6, 2015 at 3:05

3 Answers 3

Reset to default
59

All of the following does the same if you look at the output.

  1. $greeting = "Welcome, " . $name . "!";
  2. $greeting = 'Welcome, ' . $name . '!';
  3. $greeting = "Welcome, $name!";
  4. $greeting = "Welcome, {$name}!";

You should not be using option 1, use option 2 instead. Both option 3 and 4 are the same. For a simple variable, braces are optional. But if you are using array elements, you must use braces; e.g.: $greeting = "Welcome, {$user['name']}!";. Therefore as a standard, braces are used if variable interpolation is used, instead of concatenation.

But if characters such as tab (\t), new-line (\n) are used, they must be within double quotations.

Generally variable interpolation is slow, but concatenation may also be slower if you have too many variables to concatenate. Therefore decide depending on how many variables among other characters.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Thank you for the detailed explanation. I believe I'll continue to concatenate over curly braces.
Boah, really. @mririgo The single quotes micro optimization myth has been thouroughly debunked. Unless you have a 2GB php script with millions of strings in it, you will not be able to measure it - as it lies solely in the tokenizer. Use xdebug and find something real to optimize.
When we develop web sites for concurrent access, we must optimize coding/web pages as much as possible.
Curly braces are not required with array elements. Simply take out the single quotes: $greeting = "Welcome, $user[name]"; This is the only time $user[name] will not result in a notice.
php.net/manual/en/language.types.string.php says you don't seed to wrap array elements with curly braces
|
3

Although not dealing with injection attacks (including SQLi), it should at least be noted -- especially for PHP devs -- that using any of the above techniques without first encoding and validating all inputs will lead you to an injection-based attack.

It is important to remember security at the beginning of coding -- not the end when all of the code needs to be redone to comply with security requirements. Or, when you finally get this dang " vs. ' war down and realize that it doesn't matter because you are susceptible to XSS using either technique without properly encoding and validating all inputs.

  1. Encode using urlencode() or htmlenities() to normalize the input(s).
  2. Use data-typing for non-strings OR dictionary-lookup and/or regular expressions for strings to validate.
  3. Profit?
Improve this answer

2 Comments

urlencode() and htmlenities() should not be used to normalize inputs. Rather, they should be used before outputting to the browser user-entered data that should not contain HTML, JS, or CSS.
If your doing SQL, always use prepared statements. Even the most well intentioned string santizers have been thoroughly thumped over time by various attacks. Prepared statements cleanly separate the logic from the data ,giving much more efficient data insertions and retrievals, and the security has been scrutinized by experts in the database field. Alternatively use a battle hardened ORM (preferably of the data-mapping rather than active-record variety, if you value performance and type safety)
3

With pre-comiled PHP (Bytecode Cache) it makes no difference.

This feature come with PHP 5.5 (Zend Optimizer+).

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.