Dollar ($) sign in password string treated as variable

Question

Spent some time troubleshooting a problem whereby a PHP/MySQL web application was having problems connecting to the database. The database could be accessed from the shell and phpMyAdmin with the exact same credentials and it didn't make sense.

Turns out the password had a $ sign in it:

$_DB["password"] = "mypas$word";

The password being sent was "mypas" which is obviously wrong.

What's the best way to handle this problem? I escaped the $ with a \\

$_DB["password"] = "mypas\$word";

and it worked.

I generally use $string = 'test' for strings which is probably how I avoided running into this before.

Is this correct behavior? What if this password was stored in a database and PHP pulled it out - would this same problem occur? What am I missing here...

Answer 1

$_DB['password'] = 'mypas$word';

Single quote strings are not processed and are taken "as-is". You should always use single quote strings unless you specifically need the $variable or escape sequences (\\n, \\r, etc) substitutions. It's faster and less error prone.

Answer 2

PHP is interpolating the variable $word into the string mypas$word , as is normal behaviour for string literals delineated with double quotes. Since $word is presumably undefined, the resulting interpolated string is mypas .

The solution is to use single quotes. Single-quoted string literals do not undergo variable interpolation.

Answer 3

The other answers all work until there are single quotes embedded in the passsword.

Fail:

$_DB['password'] = 'my'pas$word';

Alternatives:

If you don't have other escaped characters, you can escape the $ with \\$ , eg

$_DB['password'] = "my'pas\\$word";

Or it may be simpler to escape the single quote eg

$_DB['password'] = 'my\\'pas$word';

Answer 4

Just put it in a single-quoted string:

$_DB['password'] = 'mypas$word';

The double-quoted string will interpolate variables, but single-quoted strings won't. So that will solve your problem.

Answer 5

使用单引号

$_DB["password"] = 'mypas$word';

Answer 6

只需使用单引号'代替'，它就不会尝试将$ word视为变量。

$_DB['password'] = 'mypas$word';

Answer 7

Strings quotes with the double quotation are interpreted for variables. Single quoted strings are interpreted literally.

$a = "one";
$b = "$a";
echo $b . "\n";
$b = '$a';
echo $b . "\n";

This should yield:

one
$a

Answer 8

I just ran across this problem and fixed it prior to finding this thread. I am sure all the solutions with single quotes work perfect. I chose to just concatenate the pass which also works fine as I was unaware of the single quote solution....IE

$db_password = "SamWise" . "$" . "GangiTYloYG";