← Back to glossary

String Interpolation & Heredoc/Nowdoc

Q: What is a common misconception about String Interpolation & Heredoc/Nowdoc?

String interpolation and concatenation are always interchangeable. Interpolation is generally slightly faster for simple variable embedding since it avoids the concatenation operator overhead. Complex expressions still require concatenation or the {$var->method()} curly syntax.

php PHP 5.0+ Beginner

Also Known As

string interpolation PHP variable in string double-quoted string PHP

TL;DR

PHP's double-quoted strings and heredoc syntax interpolate variables; nowdoc is the single-quoted equivalent — each with distinct escaping rules.

Explanation

PHP offers four string literal syntaxes. Double-quoted strings interpolate simple variables ($name), array elements ({$arr['key']}), and complex expressions (${expr}). Heredoc (<<<EOT ... EOT) behaves like a double-quoted string across multiple lines — useful for SQL, HTML templates, and email bodies. Nowdoc (<<<'EOT' ... EOT) is the heredoc equivalent of single-quoted strings — no interpolation at all, ideal when the content contains dollar signs or backslashes that shouldn't be treated as escape sequences. PHP 8.3 tightened heredoc/nowdoc indentation rules: the closing marker's indentation defines the strip amount. Avoid interpolation of user data into SQL strings — use prepared statements regardless of how readable $query = "SELECT * FROM users WHERE id=$id" looks.

Common Misconception

✗ String interpolation and concatenation are always interchangeable. Interpolation is generally slightly faster for simple variable embedding since it avoids the concatenation operator overhead. Complex expressions still require concatenation or the {$var->method()} curly syntax.

Why It Matters

PHP string interpolation embeds variables directly in double-quoted strings — convenient but can cause subtle bugs with complex expressions and security issues when SQL or HTML is built by interpolation.

Common Mistakes

Interpolating user input directly into SQL queries — even inside a string, this is SQL injection.
Complex expressions in strings: "User {$user->getName()}" — use concatenation or sprintf for clarity.
Confusing single-quoted (no interpolation) and double-quoted (interpolation) strings.
Not using curly brace syntax for array access: "Hello $user[name]" vs "Hello {$user['name']}".

Code Examples

✗ Vulnerable

$q = "SELECT * FROM users WHERE email='$email'"; // SQLi via interpolation

✓ Fixed

$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$email]);

References

↗ https://www.php.net/manual/en/language.types.string.php

Tags

php strings syntax

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,445 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 1

Amazonbot 1

No pings yesterday

Amazonbot 7 Perplexity 2 Google 2 Ahrefs 2 ChatGPT 1

Also referenced

Prepared Statement 29 Key String Functions (str_contains, str_starts_with, str_ends_with…) 21 Heredoc / Nowdoc 12

How they use it

crawler 13 crawler_json 1

Related categories

php 6.6k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Use double-quote interpolation for simple variables; use heredoc for multi-line strings; never interpolate into SQL or HTML — use prepared statements and htmlspecialchars

📦 Applies To

PHP 5.0+ web cli queue-worker

🔗 Prerequisites

PHP Data Types Cross-Site Scripting (XSS) SQL Injection

🔍 Detection Hints

Variable interpolated directly into SQL query string; user input interpolated into HTML output without escaping

Auto-detectable: ✓ Yes semgrep phpstan phpcs

⚠ Related Problems

SQL Injection Cross-Site Scripting (XSS) Security Misconfiguration

🤖 AI Agent

Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Low Context: Line

CWE-89 CWE-78