CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

String Interpolation & Heredoc/Nowdoc

PHP PHP 5.0+ Beginner
debt(d5/e3/b3/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5), since semgrep/phpstan/phpcs from detection_hints can flag interpolation of variables into SQL/HTML patterns, but plain interpolation is normal PHP and only context-specific misuse is caught.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3), per quick_fix: swap interpolated SQL for prepared statements or wrap HTML output in htmlspecialchars — pattern replacement, sometimes touching a few call sites.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3), since interpolation choices are per-string and affect readability locally; tags are just syntax/strings, no architectural reach.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5), matching the misconception that interpolation and concatenation are interchangeable, plus the documented gotchas around single vs double quotes and {$var} syntax for complex expressions.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

string interpolation PHP variable in string double-quoted string PHP

TL;DR

PHP's double-quoted strings and heredoc syntax interpolate variables; nowdoc is the single-quoted equivalent — each with distinct escaping rules.

Explanation

PHP offers four string literal syntaxes. Double-quoted strings interpolate simple variables ($name), array elements ({$arr['key']}), and complex expressions (${expr}). Heredoc (<<<EOT ... EOT) behaves like a double-quoted string across multiple lines — useful for SQL, HTML templates, and email bodies. Nowdoc (<<<'EOT' ... EOT) is the heredoc equivalent of single-quoted strings — no interpolation at all, ideal when the content contains dollar signs or backslashes that shouldn't be treated as escape sequences. PHP 8.3 tightened heredoc/nowdoc indentation rules: the closing marker's indentation defines the strip amount. Avoid interpolation of user data into SQL strings — use prepared statements regardless of how readable $query = "SELECT * FROM users WHERE id=$id" looks.

Common Misconception

String interpolation and concatenation are always interchangeable. Interpolation is generally slightly faster for simple variable embedding since it avoids the concatenation operator overhead. Complex expressions still require concatenation or the {$var->method()} curly syntax.

Why It Matters

PHP string interpolation embeds variables directly in double-quoted strings — convenient but can cause subtle bugs with complex expressions and security issues when SQL or HTML is built by interpolation.

Common Mistakes

  • Interpolating user input directly into SQL queries — even inside a string, this is SQL injection.
  • Complex expressions in strings: "User {$user->getName()}" — use concatenation or sprintf for clarity.
  • Confusing single-quoted (no interpolation) and double-quoted (interpolation) strings.
  • Not using curly brace syntax for array access: "Hello $user[name]" vs "Hello {$user['name']}".

Code Examples

✗ Vulnerable 
$q = "SELECT * FROM users WHERE email='$email'"; // SQLi via interpolation
✓ Fixed 
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$email]);
Added 15 Mar 2026
Edited 22 Mar 2026
Views 39

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping T 1 ping W 1 ping T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T 1 ping F 1 ping S 1 ping S 1 ping M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 1 ping T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 7 Ahrefs 4 Scrapy 4 ChatGPT 3 Perplexity 2 Google 2 Claude 2 SEMrush 2 Bing 2 PetalBot 2 Meta AI 1
Also referenced
Prepared Statement 68 Key String Functions (str_contains, str_starts_with, str_ends_with…) 41 Heredoc / Nowdoc 29
How they use it
crawler 27 crawler_json 4
Related categories
php 13.2k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Use double-quote interpolation for simple variables; use heredoc for multi-line strings; never interpolate into SQL or HTML — use prepared statements and htmlspecialchars
📦 Applies To
PHP 5.0+ web cli queue-worker
🔗 Prerequisites
🔍 Detection Hints
Variable interpolated directly into SQL query string; user input interpolated into HTML output without escaping
Auto-detectable: ✓ Yes semgrep phpstan phpcs
⚠ Related Problems
🤖 AI Agent
Confidence: Medium False Positives: Medium ✗ Manual fix Fix: Low Context: Line
CWE-89 CWE-78
✓ schema.org compliant