Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Dollar ($) sign in password string treated as variable

Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense.

Turns out the password had a $ sign in it:

$_DB["password"] = "mypas$word"; 

The password being sent was "mypas" which is obviously wrong.

What's the best way to handle this problem? I escaped the $ with a \

$_DB["password"] = "mypas\$word"; 

and it worked.

I generally use $string = 'test' for strings which is probably how I avoided running into this before.

Is this correct behavior? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...

like image 480
ncatnow Avatar asked Apr 01 '10 02:04

ncatnow


People also ask

What is dollar variable?

The $var (single dollar) is a normal variable with the name var that stores any value like string, integer, float, etc. The $$var (double dollar) is a reference variable that stores the value of the $variable inside it.

What does $$ mean PHP?

The $x (single dollar) is the normal variable with the name x that stores any value like string, integer, float, etc. The $$x (double dollar) is a reference variable that stores the value which can be accessed by using the $ symbol before the $x value. These are called variable variables in PHP.

Why do we use a dollar symbol ($) before variables in PHP?

Rasmus Lerdorf, the father of the PHP language, explains the $ sign as an ability to insert variables inside literal string values (interpolation), so that the variables are distinguished from the rest of the string.


2 Answers

$_DB['password'] = 'mypas$word'; 

Single quote strings are not processed and are taken "as-is". You should always use single quote strings unless you specifically need the $variable or escape sequences (\n, \r, etc) substitutions. It's faster and less error prone.

like image 117
Thomas Bonini Avatar answered Oct 04 '22 05:10

Thomas Bonini


PHP is interpolating the variable $word into the string mypas$word, as is normal behaviour for string literals delineated with double quotes. Since $word is presumably undefined, the resulting interpolated string is mypas.

The solution is to use single quotes. Single-quoted string literals do not undergo variable interpolation.

like image 26
Benji XVI Avatar answered Oct 04 '22 04:10

Benji XVI