Dollar ($) sign in password string treated as variable

php string variables escaping

57,271

Solution 1

$_DB['password'] = 'mypas$word';

Single quote strings are not processed and are taken "as-is". You should always use single quote strings unless you specifically need the $variable or escape sequences (\n, \r, etc) substitutions. It's faster and less error prone.

Solution 2

PHP is interpolating the variable $word into the string mypas$word, as is normal behaviour for string literals delineated with double quotes. Since $word is presumably undefined, the resulting interpolated string is mypas.

The solution is to use single quotes. Single-quoted string literals do not undergo variable interpolation.

Solution 3

The other answers all work until there are single quotes embedded in the passsword.

Fail:

$_DB['password'] = 'my'pas$word';

Alternatives:

If you don't have other escaped characters, you can escape the $ with \$, e.g.

$_DB['password'] = "my'pas\$word";

Or it may be simpler to escape the single quote e.g.

$_DB['password'] = 'my\'pas$word';

Solution 4

use single quotes

$_DB["password"] = 'mypas$word';

Solution 5

Just put it in a single-quoted string:

$_DB['password'] = 'mypas$word';

The double-quoted string will interpolate variables, but single-quoted strings won't. So that will solve your problem.

View more solutions

57,271

ncatnow

Updated on April 24, 2020

Comments

ncatnow about 4 years
Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense.

Turns out the password had a $ sign in it:
```
$_DB["password"] = "mypas$word";
```
The password being sent was "mypas" which is obviously wrong.

What's the best way to handle this problem? I escaped the $ with a \
```
$_DB["password"] = "mypas\$word";
```
and it worked.

I generally use $string = 'test' for strings which is probably how I avoided running into this before.

Is this correct behavior? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...
ncatnow about 14 years

Thanks for your answer. It appears this is a problem of best practice. With strict error reporting this may have been picked up faster. From my original question - could this be an issue when grabbing passwords from the database, or will PHP escape the $ sign?
Andreas Bonini about 14 years

@ncatnow: it can't be an issue because the substitutions is only done in double quoted strings ("string"). When you read a string from the database it is read internally by PHP so you're not using the double quoted strings to set it (or even the single quote ones). Imagine the compiler replacing all the $stuff right before setting the variable.
John Kugelman about 14 years

It's only an issue for strings written out directly in your source code, using double quotes. They must physically appear "like $this" in a .php source file. Strings from the database, from a file, from the user, etc., are not subject to interpolation.
tildy about 12 years

And what about the following? $a contains a dollar sign (string) ; $b=$a ? I tried this, and unfortunately it didn't show the dollar sign.
Brian Riehman about 12 years

If you place the assignment within single quotes, it should show up. $b = '$a' will set the variable b to the literal text '$a'.
tildy about 12 years

i mean $a='This book is $148'; $b='$a' doesn't shown me the following text This book is $148, but if $b=$a then it tried to shown the $148 (?) variable.
Ben over 9 years

You can also escape the dollar sign: "pas\$word".
Reza over 7 years

Great, thank you. I didn't know that we can escape characters.