Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Dollar ($) sign in password string treated as variable

Tags:

variables

string

php

escaping

Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense.

Turns out the password had a $ sign in it:

$_DB["password"] = "mypas$word";

The password being sent was "mypas" which is obviously wrong.

What's the best way to handle this problem? I escaped the $ with a \

$_DB["password"] = "mypas\$word";

and it worked.

I generally use $string = 'test' for strings which is probably how I avoided running into this before.

Is this correct behavior? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...

like image 480
ncatnow Avatar asked Apr 01 '10 02:04

ncatnow

People also ask

What is dollar variable?

The $var (single dollar) is a normal variable with the name var that stores any value like string, integer, float, etc. The $$var (double dollar) is a reference variable that stores the value of the $variable inside it.

What does $$ mean PHP?

The $x (single dollar) is the normal variable with the name x that stores any value like string, integer, float, etc. The $$x (double dollar) is a reference variable that stores the value which can be accessed by using the $ symbol before the $x value. These are called variable variables in PHP.

Why do we use a dollar symbol ($) before variables in PHP?

Rasmus Lerdorf, the father of the PHP language, explains the $ sign as an ability to insert variables inside literal string values (interpolation), so that the variables are distinguished from the rest of the string.

2 Answers

$_DB['password'] = 'mypas$word';

Single quote strings are not processed and are taken "as-is". You should always use single quote strings unless you specifically need the $variable or escape sequences (\n, \r, etc) substitutions. It's faster and less error prone.

like image 117
Thomas Bonini Avatar answered Oct 04 '22 05:10

Thomas Bonini

PHP is interpolating the variable $word into the string mypas$word, as is normal behaviour for string literals delineated with double quotes. Since $word is presumably undefined, the resulting interpolated string is mypas.

The solution is to use single quotes. Single-quoted string literals do not undergo variable interpolation.

like image 26
Benji XVI Avatar answered Oct 04 '22 04:10

Benji XVI
Sign in to Comment

Related questions

What is 22527 in error_reporting 22527 of phpinfo
Extract URLs from text in PHP
How do I see which checkbox is checked?
PDO fetchAll array to one dimensional
laravel updateOrCreate method
How to return a line number in a PHP script
How to capitalize first letter in Laravel Blade
How do I access static member of a class?
phpMyAdmin mbstring error
how to know whether key exists in Json string [duplicate]
How can I have optional parameters in Symfony2 route?
server:run Exception There are no commands defined in the "server" namespace
mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in [duplicate]
How to cast variable to array
What is Drupal's default password encryption method?
PHP - If variable is not empty, echo some html code
CURL and HTTPS, "Cannot resolve host"
Remove zero values from a PHP array
"call to undefined function" error when calling class method
Using sessions & session variables in a PHP Login Script

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!