String interpolation

String interpolation is a form of Quasi-quotation, common in many programming languages which make heavy use of string representations of data, such as Ruby, PHP, Perl, etc. It means to insert a string or replace a variable with its value. It makes string formatting and specifying contents more intuitive.[1]

Contents

Examples

PHP

<?php
$str = <<<EOD
Example of string
spanning multiple lines
using heredoc syntax.
EOD;
 
class foo
{
    var $foo;
    var $bar;
 
    function foo()
    {
        $this->foo = 'Foo';
        $this->bar = array('Bar1', 'Bar2', 'Bar3');
    }
}
 
$foo = new foo();
$name = 'Jason';
 
echo <<<EOT
My name is "$name". I am printing some $foo->foo.
Now, I am printing some {$foo->bar[1]}.
This should print a capital 'A': \x41
EOT;
?>

The output will be:

My name is "Jason". I am printing some Foo.
Now, I am printing some Bar2.
This should print a capital 'A': A

Perl

my $apples = 4;
print "I have $apples apples\n";

The output will be:

I have 4 apples

REXX

original = "Mary had a X lamb."
 
new      = changestr('X', original, "little")
 
say 'original =' original
say 'replaced =' new

output

original = Mary had a X lamb.
replaced = Mary had a little lamb.

Ruby

apples = 4
puts "I have #{apples} apples"
# or
puts "I have %s apples" % apples

The output will be:

I have 4 apples

BOO

apples = 4
print("I have $(apples) apples")
// or
print("I have {0} apples" % apples)

The output will be:

I have 4 apples

CoffeeScript

apples = 4
console.log "I have #{apples} apples"

The output will be:

I have 4 apples

Python

apples = 4
print "I have %d apples" % apples
# or in newer versions:
print "I have {} apples".format(apples)
print "I have {a} apples".format(a=apples)

The output will be:

I have 4 apples

LISP

Using strings:

(print (format t "I have ~D apples" 4))

The output will be:

I have 4 apples

We can also generalise this to arbitrary (non-string) LISP expressions, known as s-expressions. The equivalent of string interpolation for s-expressions is quasi-quotation, for example:

(let ((num 4))
     (quasiquote (I have (unquote num) apples)))

This results in the s-expression (I have 4 apples), where "I", "have", "4" and "apples" are symbols (i.e. identifiers), rather than strings.

Dart

int apples = 4, bananas = 3;
print('I have $apples apples');
print('I have ${apples+bananas} fruits');

The output will be:

I have 4 apples
I have 7 fruits

Security Issues

String Interpolation, like string concatenation, may lead to security problems. When failed to properly escape or filter user input data, system will expose to SQL Injection, Script Injection, XML External Entity Injection (XXE), and Cross Site Scripting (XSS) attacks.[2]

An example of SQL Injection will be like this:

query = "SELECT x, y, z FROM Table WHERE id='$id' "

If $id is replaced with "'; DELETE FROM Table; SELECT * FROM Table WHERE id='", executing this query will wipe out all the data in Table.

See also

Notes

  1. ^ http://perlmeme.org/howtos/using_perl/interpolation.html
  2. ^ http://google-caja.googlecode.com/svn/changes/mikesamuel/string-interpolation-29-Jan-2008/trunk/src/js/com/google/caja/interp/index.html#-autogen-id-1
fonte: https://web.archive.org/web/20130130115145/https://en.wikipedia.org/wiki/String_interpolation