quotes in POST but not in variable

[justinh]

I have a bit of a mystery with quotes in variables.  I'm writing an application that takes a text string from a page from via POST, and I was concerned about dealing with single or double quotes.

I know that if you use single to wrap the content, then there is no issue processing double:

$myvar =  'I say "hello" world'; // I say "hello" world

And if you use double to wrap the content, then there is no issue processing single:

$myvar = "I say don't do that"; // I say don't do that

If you use the same quote inside and outside w/o escaping the non-wrapping quotes, PHP will throw an error.  Example:

$myvar = "I say "hello" world"; // => Parse error

So, I expected my POST values to give me errors if I didn't escape or convert to HTML codes, but I thought how can I do either to prevent an error w/o first incurring the error while extracting the POST data?  I just tried using both quotes in my strings and everything works fine.

$desc1 = ($_POST["desc1"]); echo $desc1; // this is double "test" and single 'test' string

Even if I quote the variable in the echo it works.

Why do I not get an error when going thru the POST?

Justin

Edited October 15, 2017 by justinh

[Ingolme]

You have to distinguish between a representation of the string in your code and the actual value of the string. The variable is being sent in from outside, so there's no literal string that needs to be parsed by the PHP engine.