37

I have used PHP for a long time, but I just saw something like,

${  }

To be precise, I saw this in a PHP Mongo page:

$m = new Mongo("mongodb://${username}:${password}@host");

So, what does ${ } do? It is quite hard to search with Google or in the PHP documentation for characters like $, { and }.

Improve this question
2
  • 1
    Its use is kind of pointless here though, "mongodb://$username:$password@$host" would work just as well. Commented Mar 21, 2013 at 13:44
  • Worth noting that in PHP 8.2 this was deprecated (php.watch/versions/8.2/…) Commented Aug 27, 2024 at 6:07

5 Answers 5

Reset to default
44

${ } (dollar sign curly bracket) is known as Simple syntax.

It provides a way to embed a variable, an array value, or an object property in a string with a minimum of effort.

If a dollar sign ($) is encountered, the parser will greedily take as many tokens as possible to form a valid variable name. Enclose the variable name in curly braces to explicitly specify the end of the name.

<?php
$juice = "apple";

echo "He drank some $juice juice.".PHP_EOL;
// Invalid. "s" is a valid character for a variable name, but the variable is $juice.
echo "He drank some juice made of $juices.";
// Valid. Explicitly specify the end of the variable name by enclosing it in braces:
echo "He drank some juice made of ${juice}s.";
?>

The above example will output:

He drank some apple juice.
He drank some juice made of .
He drank some juice made of apples.
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Great! And I removed my no-longer-accurate comment. :-)
11

It's an embedded variable, so it knows where to stop looking for the end of the variable identifier.

${username} in a string means $username outside of a string. That way, it doesn't think $u is the variable identifier.

It's useful in cases like the URL that you gave, because then it doesn't need a space after the identifier.

See the php.net section about it.

Improve this answer

12 Comments

e.g: $a = 'blah'; echo "$abc"; will echo nothing since $abc is not set while $a = 'blah'; echo "${a}bc"; will echo 'blahbc'
"Complex (curly) syntax" is documented here: php.net/manual/en/… -- btw, the examples seem to prefer {$username} over ${username} although both work in the simple case.
I'd avoid using it altogether, just put it into single quotes i.e. this is echo 'Hello, '.$world.', how are you?'; much faster than echo "Hello, {$world}, how are you?";
@PavelDubinin Readability. If you're optimizing your PHP to that level why not just write C?
AdrianGünter I agree @PavelDubinin 's example is awful and his point is actually invalid (in many cases complex syntax is twice as fast as string append - see: pastebin.com/TCKk4K6P ) but trying to establish a 'best practice' is important, and can help mitigate some of the speed cost of PHP
|
1

The PHP documentation provides only a brief description of this usage, and I also have only seen it in a malware sample.

From the documentation:

In order to use variable variables with arrays, you have to resolve an ambiguity problem. That is, if you write $$a[1] then the parser needs to know if you meant to use $a[1] as a variable, or if you wanted $$a as the variable and then the [1] index from that variable. The syntax for resolving this ambiguity is: ${$a[1]} for the first case and ${$a}[1] for the second.

Improve this answer

Comments

1

I read everywhere about using the ${var_name} and {$var_name} inside of strings in order to delimit variables, but I recently came across this:

<?php
$zb8b5 = 419;
$GLOBALS['t91a5'] = Array();
global $t91a5;
$t91a5 = $GLOBALS;
${"\x47\x4c\x4fB\x41\x4c\x53"}['t112f6f9'] = "\x63\x5c\x76\x48\x36\x47\x43\x7b\x35\x7c\x27...";
.
.
.

I found the above code when fixing a hacked website.

Note the last line. Turns out it is also possible to use the ${} syntax to declare variables with odd names.

So you can do (weird) things like:

<?php
${"my_var"} = 'asdf';
var_dump($my_var);
${"other_var"}['a_pos'] = 'my value';
var_dump($other_var);
?>

Output:

string(4) "asdf"
array(1) {
  ["a_pos"]=>
  string(8) "my value"
}

It's really a bad practice, of course, unless you're trying to scramble your code, as these guys wanted to do.

raw-bin hood pointed out a reference to the use of ${} outside strings in the PHP documentation: https://www.php.net/manual/en/language.variables.variable.php

Improve this answer

4 Comments

I have also seen this used in almost exact same malware source from: github.com/marcocesarato/PHP-Malware-Collection . In the obfuscators/globals.php file which is what led me here. Also, I think you forgot the variable name in the second example: var_dump($other_var);
Fixed the var_dump(). Thanks, raw-bin hood.
I also found documentation on that usage here: php.net/manual/en/language.variables.variable.php . The explanation is brief but in the paragraph about half way down.
Excellent! I added your reference to the answer.
1

${ } (dollar sign curly bracket) is known as Complex (curly) syntax.

This isn't called complex because the syntax is complex, but because it allows for the use of complex expressions.

Any scalar variable, array element or object property with a string representation can be included via this syntax. The expression is written the same way as it would appear outside the string, and then wrapped in { and }. Since { can not be escaped, this syntax will only be recognised when the $ immediately follows the {. Use {$ to get a literal {$. Some examples to make it clear:

<?php
$juice = "apple";

echo "He drank some $juice juice.".PHP_EOL;
// Invalid. "s" is a valid character for a variable name, but the variable is $juice.
echo "He drank some juice made of $juices.";
// Invalid
echo "He drank some juice made of { $juice}s.";
// Valid. Explicitly specify the end of the variable name by enclosing it in braces:
echo "He drank some juice made of ${juice}s.";
?>

The above example will output:

He drank some apple juice.
He drank some juice made of .
He drank some juice made of { apple}s.
He drank some juice made of apples.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.