PHP :: Doc Bug #69234 :: Escaped single quotes within double quotes not recognized

Escaped single quotes within double quotes not recognized

Submitted:

2015-03-12 22:04 UTC

Modified:

2016-06-23 23:58 UTC

Votes:	1
Avg. Score:	1.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

chrisdmiddleton at gmail dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

Scripting Engine problem

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	chrisdmiddleton at gmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-03-12 22:04 UTC] chrisdmiddleton at gmail dot com

Description:
------------
When a single quote is backslashed within a single quote (e.g. '\''), the result is a one-character string consisting of the single quote. However, when the same is done within a *double*-quoted string, the result is a two character string (\'). This behavior is unexpected, since in every other way, double quoted strings are *more* interpretive than single quoted strings. Furthermore, the manual (http://php.net/manual/en/language.types.string.php#language.types.string.syntax.single) says

> To specify a literal single quote, escape it with a backslash (\). To specify a literal backslash, double it (\\).
> ...
> If the string is enclosed in double-quotes ("), PHP will interpret **more** [emphasis mine] escape sequences for special characters: 
> ...
> As in single quoted strings, escaping any other character will result in the backslash being printed too. Before PHP 5.1.1, the backslash in \{$var} had not been printed. 

In my mind, this is a bug - namely, the double quoted version should also accept escaped single quotes, since this true in most other languages:

JavaScript
    "\'" === '\'' // ==> true
Python
    '\'' == "\'" // ==> true
Ruby
    print "\'" == '\'' // ==> true
Perl
    #!/usr/bin/perl
    print "\'" == '\''; ==> 1 (true)
bash (no, but printf does)
    echo "\'" # ==> \'
    printf "\'" # ==> '
C/C++
    #include <stdio.h>
    int main (void) {
      printf("\'"); // ==> '
      return 0;
    }
Java
    public class Temp {
      public static void main (String[] args) {
        System.out.println("\'"); // ==> '
      }
    }

However, if this is a bug that has existed for a long time (and not intentional), then changing it might break backward compatibility. In any event, the documentation should be made *very* clear about this issue. In my case, it was causing inappropriately quoted sql, e.g. allowing an attack. I'm sure that many other people who assume the behavior to be the same as in other languages might make the same mistake.

Test script:
---------------
<?php

echo "\'";

// Expected: '
// Actual: \'

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-03-12 22:36 UTC] chrisdmiddleton at gmail dot com

I see now that the behavior is somewhat consistent, in the sense that the characters which are escapable are the *minimum* set of characters. (Since you don't need the backslash for single quotes in double quotes, why provide it...) But the behavior is somewhat counterintuitive and the documentation should at least be made clear about this particular case.

[2015-03-13 02:16 UTC] requinix@php.net

-Type: Bug +Type: Documentation Problem -Package: *General Issues +Package: Scripting Engine problem

[2015-03-13 02:16 UTC] requinix@php.net

\' and \" are about inserting the string delimiter character. The consistency is that '\"' and "\'" both retain their backslashes.

And as you quoted,
>As in single quoted strings, escaping any other character [not included in the
>above table] will result in the backslash being printed too.

Do you feel like the documentation should explicitly point out that "escaping" the opposite quote character will keep the backslash?

[2015-03-13 04:35 UTC] chrisdmiddleton at gmail dot com

> Do you feel like the documentation should explicitly point out that "escaping" the opposite quote character will keep the backslash?

Given that this is not the case in most other languages, I think it could be worth pointing out. I understand the reasoning now though.

[2015-11-22 08:20 UTC] info at stenschke dot com

this is the expected behavior, not a bug. see php documentation.

[2016-06-23 23:57 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339469
Log: Fix #69234: Escaped single quotes within double quotes not recognized

[2016-06-23 23:58 UTC] cmb@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb

[2016-06-23 23:58 UTC] cmb@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

[2016-06-24 10:26 UTC] cmb@php.net

Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=339475
Log: Improve fix of #69234 as suggested by salathe

[2020-02-07 06:07 UTC] phpdocbot@php.net

Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=49cdb0085e74fcb64f87d1f204043a5ce2467189
Log: Fix #69234: Escaped single quotes within double quotes not recognized

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 07:01:27 2024 UTC