How to include single quotes in the value of a text string

I have a script that writes values to a php text file that works almost fine as in :-

$content = '$security_code = '. $short_string . ';'."\n";					
fwrite($txtfile, $content);	

and writes a line to a text file as

$security_code = BA1EF7;

Only problem is I want it to write to the file as follows

$security_code = 'BA1EF7';

ie value enclosed in single quotes - any suggestions please

Something like this?

$content = "'{$security_code}' = "{$short_string};\n";

(Not tested - edited to add missing single quote)

Try this:

$content = ‘$security_code = "’ .$short_string .'" '."\n";

$content = "\$security_code = '".$short_string ."' "  ."\n";

Also not tested.


This tablet editor has five types of single and five types of double quotes!!!

gives me -

Parse error: syntax error, unexpected '{'
$content = "’{$security_code} = “{$short_string};\n”;

gives me -
Parse error: syntax error, unexpected '\'

$content = ‘$security_code = "’ .$short_string .'" '."\n";

gives me -

Parse error: syntax error, unexpected '$security_code' (T_VARIABLE)
$content = "\$security_code = '".$short_string ."' "  ."\n";

gives me -

$security_code = '2CE52D' 

if I add another ; to the last version like this -

$content = "\$security_code = '".$short_string ."';"  ."\n";

then I get -

$security_code = 'BB440D';

So this last one seems to work ok for me - as always thanks so much to all !

1 Like

No need for all the dots and extra quotes (in fact when php parses a double-quoted string containing a variable, it produces the exact same tokenized byte-code as if you had used concatenation) -

$content = "\$security_code = '$short_string';\n";

Why are you writing Php variables to a text file? What is the real problem you are trying to solve by doing this?

This, doubled.

It sounds like a solution to a problem you shouldn’t be having …

1 Like

Hi guys
Well, the thing is I am trying to set some parameters that are stored and influence operation of a larger php script. However I cannot use a database in this instance. Also the settings will change depending on exactly how the script is used. I could use a config.php file but this requires the user to start editing files. In this way I can have a fixed config.php file and a settings.php created based on input that I can include when needed. No database, no sessions, and peferences are stored… It actually works very well for what I need.

Ill try that - thanks ! - tried it works great thanks !

In that case I’d still opt for some other format, like ini or even something like yaml to write and then read back and interpret, rather than write some file that will be executed. shudders

Hi, can you explain the ‘shudders’ I mean congig.php gets executed as do all includes. Eventually some code will have to be executed to set variables based on the options stored. Not being argumentative but maybe I am being naive. How a would a .ini file work? Would it be secure? Do I just replace .php with.ini?

I chose a PHP file because even if it does execute someone cannot just click on it and view contents or download it. I mead config.php is often used to store sensitive info such as database connection parameters, it basically executes when called and seems to be accepted as secure.

As I say, not arguing just genuinely learning and open to all advice thank you.

Well, all included files are indeed executable, but most of them are not written by a machine.

For example, what happens if someone enters '; die('Nope')'; as one of the credentials, then the entire site will be down. It probably will never happen, but just the idea that it might is bad enough.

An ini file would like this for example

username = foo
password = bar
database = baz

You can read the contents using parse_ini_file.

The main advantage is that it treats data as data, it will never be executed. So even if you try to hack it like above that won’t work.

As for people downloading it, put it in a directory “above” your index.php or in a directory that is protected against downloads with an .htaccess file.


@kerry14 ,
Try PHP Heredoc strings because it makes complex concatenation a lot easier:

I don’t think the '; die('Nope')'; is a problem because all the credentials are generated from my code based on yes/no answers or tick boxes.

But … I did NOT even KNOW about .ini files or parse_ini_file - that is most interesting and informative !

I certainly will do - thanks again to you both !

That is because you naively think that a user has to use your form to submit a POST request. Your form is not the only way to submit data to your app.


A post was split to a new topic: Setting environment variables for a common application

Well I don’t think I am naive but I am certainly less experienced than you. Now I am worried about security on a whole new level, I thought using POST and if (isset()) then sanitizing any input was pretty much secure. So as well as preventing SQL injection with prepared statements, sanutizing POST inputs, htmlspecialchars() and brute force attacks, I also have to prevent people submitting data to an app without even using a form!

Is there anywhere an example of a script that is actually secure to use as a basis or template

It seems nowadays with PHP 75% of coding is blocking security holes.

Can you please explain how this could be done so I can attempt to prevent it please ?

It’s always been that way. It’s just that for a long time the majority of people were ignoring it.
To be fair, a lot of them still are.

As a very simple example of POSTing without a form you could use cURL:

curl -X POST -F "username='; die('Nope');" http://domain.tld/post-to-me.php

Hits the server directly. No front-end validation is going to stop it.

Here is a visual representation of front-end validation:


Just to be clear, that is what I meant, just lacking experience. Nothing more. I was not knocking you. :grinning:

It’s one of those words with multiple definitions. This is the one I meant.
“Not having experienced or been subjected to something”

1 Like

Still friends then :grinning: