Quotes vs. Single Quote
in [General]
|
From: Adam Richardson on 5 Aug 2010 23:51 On Thu, Aug 5, 2010 at 10:53 PM, Rick Dwyer <rpdwyer(a)earthlink.net> wrote: > > On Aug 5, 2010, at 10:43 PM, Michael Shadle wrote: > > > > > For HTML, -always- use double quotes. > > > > <tag attribute="bar" /> is the right way. > > <tag attribute='bar' /> is the wrong way. > > > > I'd go into more explanation but there simply doesn't need to be one. > I would suggest that saying <tag attribute='bar' /> is "the wrong way" is a rather strong assessment. Whether you're talking about SGML (the grandparent), XML (the parent), or XHTML, the use of a single quote is perfectly valid, and has served a purpose since inception. If I'm crafting markup and embedding something that has a double quote within an attribute (often times an alt attribute on an image), I don't hesitate to use the single quote as the attribute delimiter. That said, it's often easier if you standardize on one, and most choose to use double quotes the default delimiter. Tim Bray, who knows a little bit about XML dialects (tongue in cheek), appears to default to the single quote as his delimiter of choice: http://www.tbray.org/ongoing/ Now, speaking to questions/concerns about javascript events frequent use of single quotes beg the question: Why are you embedding javascript events into the markup of the page? I'm aware of many sources that advocate against mixing javascript and html in this way (see the books PPK on Javascript, DOM Scripting, etc.) That said, if there are some sources to point to that make a case for the deprecation of single quotes in (X)HTML attributes, please let me know. Adam -- Nephtali: PHP web framework that functions beautifully http://nephtaliproject.com
From: Michael Shadle on 6 Aug 2010 00:05 On Thu, Aug 5, 2010 at 8:51 PM, Adam Richardson <simpleshot(a)gmail.com> wrote: > I would suggest that saying <tag attribute='bar' /> is "the wrong way" is a > rather strong assessment. Â Whether you're talking about SGML (the > grandparent), XML (the parent), or XHTML, the use of a single quote is > perfectly valid, and has served a purpose since inception. Â If I'm crafting > markup and embedding something that has a double quote within an attribute > (often times an alt attribute on an image), I don't hesitate to use the > single quote as the attribute delimiter. Â That said, it's often easier if > you standardize on one, and most choose to use double quotes the default > delimiter. > That said, if there are some sources to point to that make a case for the > deprecation of single quotes in (X)HTML attributes, please let me know. Well, most people use htmlspecialchars() to encode text for safe display to a browser. By default, it only encodes double quotes: http://php.net/htmlspecialchars "The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated." We've run into issues where we thought our forms were fairly secure, but some people decided to echo "<input type='string' value='$foo' />" type stuff, which works fine if you encapsulate attributes in double quotes, but in single quotes, we found out that anyone who had a single quote in that value would break the page. Now, I typically use a central wrapper function for encoding and decoding, and if it was in use there, sure, I could have thrown in ENT_QUOTES and solved that issue. However, the vast majority of everything uses double quotes, and there is not really a reason to NOT use them. Of course, I put it out there like that to simply push it because it should be appropriate for everyone. You are right though - it WILL work with single quotes (as we can see), but I recommend a single way of doing things to keep things consistent, and it has been the unspoken standard everywhere I've ever looked for markup... (Funny enough, that page has an example with a single quoted attribute) Leave the single quotes for parameters, indexes, code, not attributes - $.02
From: Michael Shadle on 6 Aug 2010 00:08 On Thu, Aug 5, 2010 at 8:51 PM, Adam Richardson <simpleshot(a)gmail.com> wrote: > Tim Bray, who knows a little bit about XML dialects (tongue in cheek), > appears to default to the single quote as his delimiter of choice: > http://www.tbray.org/ongoing/ Side note, looks like his stuff is auto-generated by something, so it's defined once and replicated many times for templating... but also I do see some attributes with double quotes mixed in, i.e.: <div class="employ">I work for Google, but the opinions expressed here are my own, and no other party necessarily agrees with them.<br/> A full disclosure of my professional interests is on the <a href='/ongoing/misc/Tim'>author</a> page. </div> <h2 id='comments'>Contributions</h2> <div class="comments"><p>Comment feed for <span class="o">ongoing</span>:<a href="/ongoing/comments.atom"><img src="/ongoing/Feed.png" alt="Comments feed"/></a></p> <a href="/ongoing/" onclick="setActiveStyleSheet('serif'); return false;" onkeypress = "setActiveStyleSheet('serif'); return false;" accesskey="p" id="serif">Serif</a> · <a href="/ongoing/" onclick="setActiveStyleSheet('sans'); return false;" onkeypress = "setActiveStyleSheet('sans'); return false;" accesskey="p" id="sans">Sans-Serif</a> I should say also - double quotes helps when using inline JavaScript in attributes too :) add that to my reasons. I just default to double quotes because of history developing things, it just works easier.
From: Peter Lind on 6 Aug 2010 02:34 On 6 August 2010 04:10, Rick Dwyer <rpdwyer(a)earthlink.net> wrote: > Hi List. > I've mentioned before that I am both just beginning to learn PHP AND I have inherited a number of pages that I'm trying to clean up the w3c validation on. > > Something that confuses me is how the code on the page is written where in one instance, it follows this: > > echo "<table border='1'><tr>.... > > And elsewhere on the page it follows: > > echo '<table border="1"><tr>.... > > In what I've read and from many of the suggestions from this board, the latter seems to be the better way to code, generally speaking. > It isn't better or worse. The only thing that makes a difference is what suits you - stick to what works for you. Both double-quotes and single-quotes can result in gotchas (in double quotes you have to escape more, which you have to keep in mind, whereas in single quotes you have a lot less power, which you might forget). There's no difference in performance, which leaves just one thing: personal preference. Regards Peter -- <hype> WWW: http://plphp.dk / http://plind.dk LinkedIn: http://www.linkedin.com/in/plind BeWelcome/Couchsurfing: Fake51 Twitter: http://twitter.com/kafe15 </hype>
From: Richard Quadling on 6 Aug 2010 05:09 On 6 August 2010 07:34, Peter Lind <peter.e.lind(a)gmail.com> wrote: > On 6 August 2010 04:10, Rick Dwyer <rpdwyer(a)earthlink.net> wrote: >> Hi List. >> I've mentioned before that I am both just beginning to learn PHP AND I have inherited a number of pages that I'm trying to clean up the w3c validation on. >> >> Something that confuses me is how the code on the page is written where in one instance, it follows this: >> >> echo "<table border='1'><tr>.... >> >> And elsewhere on the page it follows: >> >> echo '<table border="1"><tr>.... >> >> In what I've read and from many of the suggestions from this board, the latter seems to be the better way to code, generally speaking. >> > > It isn't better or worse. The only thing that makes a difference is > what suits you - stick to what works for you. Both double-quotes and > single-quotes can result in gotchas (in double quotes you have to > escape more, which you have to keep in mind, whereas in single quotes > you have a lot less power, which you might forget). There's no > difference in performance, which leaves just one thing: personal > preference. > > Regards > Peter > > -- > <hype> > WWW: http://plphp.dk / http://plind.dk > LinkedIn: http://www.linkedin.com/in/plind > BeWelcome/Couchsurfing: Fake51 > Twitter: http://twitter.com/kafe15 > </hype> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > You also have heredoc ... <?php $array = array('value' => 'A "daft" div. Click me and you\'re a numpty.'); echo <<<END_HTML_WITH_EMBEDDED_JS <html> <head> <title>All In One</title> </head> <body> <div>The div below should say that it is a "daft" div and if you click it then you're a numpty.</div> <div class="daft" onClick="alert('You clicked a \"daft\" div and you\'re a numpty');">{$array['value']}</div> </body> </html> END_HTML_WITH_EMBEDDED_JS; ?> will output ... <html> <head> <title>All In One</title> </head> <body> <div class="daft" onClick="alert('You clicked a \"daft\" div and you\'re a numpty');">A "daft" div. Click me and you're a numpty.</div> </body> </html> The above example shows how escaping can be minimized. I've done it manually, but it could have been done by using htmlentities() or htmlspecialchars() with ENT_QUOTES. Only the JS code needed the escaping. The \" because the " is in an attribute value (which used " as the delimiter) and the \' because the ' is used as a string delimiter for the alert() call. Obviously, it IS a bit of a mess. Using normal string concatenation, it becomes a lot harder. <?php $array = array('value' => 'A "daft" div. Click me and you\'re a numpty.'); echo "<html> <head> <title>All In One</title> </head> <body> <div>The div below should say that it is a \"daft\" div and if you click it then you're a numpty.</div> <div class=\"daft\" onClick=\"alert('You clicked a \\\"daft\\\" div and you\'re a numpty');\">{$array['value']}</div> </body> </html>"; ?> So, 3 \. The first \ is to escape the second \, the third to escape the ". Which results in \" which is an escape of the " in the HTML. Now imagine the above string was a search and replace via some regular expression. Sure you _can_ work it out, but sometimes you just keep adding \ until it works. You may need upto 6 \ in a row... or more! Richard.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: PHP The Anthem Next: Protecting PHP scripts called via AJAX from evil |