In this series, we're taking a look at the WordPress PHP Coding Standards in order further understand how quality WordPress code should be written.
Sure, all of this is documented in the WordPress Coding Standards and it's a site that every WordPress developer should have bookmarked and on hand when working on a theme, a plugin, or an application; however, if you're just getting into WordPress development, then it's important to understand the rationale as to why the conventions are the way they are.
In this article, we're going to be taking a look at the use of single quotes and double quotes specifically when dealing with strings.
This may be the shortest, most straightforward article in the series, but it should cover some important nuances as it relates to working with single quotes, double quotes, and strings in WordPress.
Strings in PHP and Strings in WordPress
Before we actually discuss strings as they relate to WordPress, it's important to understand how the PHP language interprets strings when they are single quoted or double quoted.
Single Quotes in PHP
First, the simplest, most straightforward way to define a string in PHP is to simply wrap it with single quotes (that is, the ' character).
As with most programming languages, there are ways to escape characters so that you're able to write out a string literal. For example, if you wanted to write: "String's in PHP are easy," as a string, then you may do this:
'String\'s in PHP are easy.'
See? The backslashes will instruct PHP to write out the single quote rather than terminating the actual string.
The second thing to note is that if you have a variable, it will not be replaced when quoted in single quotes. For example, assume that you have a variable called $name
and it contains the value "Envato".
More specifically, in code, this would look like this:
$name = 'Envato'
If you were to embed the $name
variable into another string, 'Envato' would not be replaced.
$name = 'Envato'; echo 'I\'m writing for $name. It\'s a lot of fun.';
This would just echo: I'm writing for $name. It's a lot of fun.
Here is where double-quotes begin to come in handy.
Double Quotes in PHP
Straight from the PHP manual:
If the string is enclosed in double-quotes ("), PHP will interpret more escape sequences for special characters.
You can read more about the escape characters and other information in the PHP manual, but let's say we were to rework some of the strings that we've defined above.
Our first example, that is the one with the escaped single quote, could now be defined like this:
"String's in PHP are easy."
Our second example could be taken a step further: Not only is the escape sequence no longer needed, but the variable will also be evaluated:
$name = 'Envato'; echo "I'm writing for $name. It's a lot of fun.";
The second line will literally echo: I'm writing for Envato. It's a lot of fun.
So with this covered as an introduction, let's talk about the specifics of strings in WordPress. The truth is, if you have a strong grasp on all of the above, there's not much more to add other than a few one-off cases.
Single Quotes in WordPress
In keeping consistent with PHP coding conventions, the general rule of thumb to follow is to always use single quotes to define your strings.
Since much of the work done in WordPress also includes writing out markup within a PHP string, it's best to place those strings in single quotes so that the attributes of the HTML element can be enclosed in double quotes.
For example:
$html = '<a href="http://wordpress.org" target="_blank">WordPress</a>';
Obviously, the above makes for a much cleaner reading experience than having to place several escape characters in to handle the double quotes, the slashes, and so on.
If you're dealing with markup that needs to span multiple lines or where you're creating several elements some of which are child elements of others, I always recommend indenting the code so that it reads like an HTML document would.
For example:
$name = 'Tom McFarlin'; $html = '<div id="container">'; $html .= '<span>' . $name . '</span>'; $html .= </div><!-- /#container -->';
It's important to note that this isn't part of the WordPress Coding Standards - this convention is one that I simply find useful when it comes to maintaining code - however, recall that single quoted strings do not evaluate the value of a variable.
As such, it is important to note that, in this case, we're using string concatenation to include the variable definition.
Double Quotes in WordPress
Just as with double quotes in PHP, it's important to note that there are times in which it's more preferable to use them especially when you need to evaluate a variable.
In using the example from the code above, we would adapt it as follows:
$name = 'Tom McFarlin'; $html = "<div id='container'>"; $html .= "<span>$name</span>"; $html .= "</div><!-- /#container -->";
Notice that we replaced all of the single quotes with double quotes and that we no longer have to perform any string concatenation with the $name
variable since it will be evaluated.
It's also important to note that although it's arguably more common to see double quotes applied to HTML attributes, single quotes work just fine as well, especially in scenarios like this.
But There Are Exceptions
When working with strings and various programming languages - namely HTML - it can get a little complicated in terms of how you're nesting your code.
For example, say that you're using PHP to write out JavaScript which is responsible for rendering some HTML. In this scenario, you're going to be writing a lot of quotes.
Though it's possible to simply alternate your quoting styles, this won't work 100% of the time.
Even the Coding Standards state:
An exception to this is JavaScript, which sometimes requires double or single quotes.
Although there are times where you may not be able to do this, this reinforces the idea that we should strive to keep each programming language in its own file style and include them when and where necessary.
Are There Any Security Issues?
Yes, but WordPress makes them extremely easy to manage, and though this technically falls under data validation, it's closely related to exactly what we're discussing in this article.
The primary problem is that there are times where we may be dynamically writing out HTML attributes to our markup that have values we can't anticipate. In cases like this, we need to be able to escape said data.
Fortunately, WordPress provides the esc_attr
function. Simply put, this function will take an incoming string and encode the characters to make sure they are rendered to the browser properly.
Practically speaking, you would use it exactly like the Codex demonstrates:
echo '<input type="text" name="fname" value="' . esc_attr( $_POST['fname'] ) . '">';
For more information, be sure to review the Codex article.
Conclusion
So, as a general rule of thumb, you should stick with using single-quotes unless you're going to be evaluating a string or you're going to be returning and echo'ing HTML, JavaScript, or potentially even CSS back to the caller.
Just as the Coding Standards state:
You should almost never have to escape quotes in a string, because you can just alternate your quoting style.
So as you're working with strings in your future work, keep these principles in mind and it could go along way to making sure that your strings are as clean, and easy to understand as possible within the context of your WordPress-based projects.
Comments