String interpolation
String interpolation is a form of Quasi-quotation, common in many programming languages which make heavy use of string representations of data, such as Python, Ruby, PHP, Perl, Scala, Nemerle, Swift, etc. It means to insert a string or replace a variable with its value. It makes string formatting and specifying contents more intuitive.[1]
Contents
Examples
Boo
apples = 4 print("I have $(apples) apples") # or print("I have {0} apples" % apples)
The output will be:
I have 4 apples
CFML
Script syntax:
apples = 4;
writeOutput("I have #apples# apples");
Tag syntax:
<cfset apples = 4> <cfoutput>I have #apples# apples</cfoutput>
The output will be:
I have 4 apples
CoffeeScript
apples = 4 console.log "I have #{apples} apples"
The output will be:
I have 4 apples
Dart
int apples = 4, bananas = 3; print('I have $apples apples'); print('I have ${apples+bananas} fruits');
The output will be:
I have 4 apples I have 7 fruits
Java
int apples = 4; System.out.println("Caspar has " + apples + " apples");
The output will be:
Caspar has 4 apples
Lisp
Using strings:
(print (format t "I have ~D apples" 4))
The output will be:
I have 4 apples
We can also generalise this to arbitrary (non-string) LISP expressions, known as s-expressions. The equivalent of string interpolation for s-expressions is quasi-quotation, for example:
(let ((num 4)) (quasiquote (I have (unquote num) apples)))
This results in the s-expression (I have 4 apples), where "I", "have", "4" and "apples" are symbols (i.e. identifiers), rather than strings.
Nemerle
def apples = 4; def bananas = 3; Console.WriteLine($"I have $apples apples"); Console.WriteLine($"I have $(apples + bananas) fruits");
You can also use advanced formatting features like this:
def fruits = ["apple", "banana"]; Console.WriteLine($<#I have ..$(fruits; "\n"; f => f + "s")#>);
The output will be:
apples bananas
Perl
my $apples = 4; print "I have $apples apples\n";
The output will be:
I have 4 apples
PHP
<?php $str = <<<EOD Example of string spanning multiple lines using heredoc syntax. EOD; class foo { var $foo; var $bar; function foo() { $this->foo = 'Foo'; $this->bar = array('Bar1', 'Bar2', 'Bar3'); } } $foo = new foo(); $name = 'Jason'; echo <<<EOT My name is "$name". I am printing some $foo->foo. Now, I am printing some {$foo->bar[1]}. This should print a capital 'A': \x41 EOT; ?>
The output will be:
My name is "Jason". I am printing some Foo. Now, I am printing some Bar2. This should print a capital 'A': A
Python
apples = 4 print "I have %d apples" % apples # or in newer versions: print "I have {} apples".format(apples) print "I have {a} apples".format(a=apples)
The output will be:
I have 4 apples
Ruby
apples = 4 puts "I have #{apples} apples" # or puts "I have %s apples" % apples # or puts "I have %{a} apples" % {a: apples}
The output will be:
I have 4 apples
Scala
The s interpolator
Scala's string Interpolation allows users to embed variable references directly in processed string literals. It's done by the Scala Macro feature. Macros are functions that are called by the compiler during compilation. Here is an example:
val apples = 4 println(s"I have $apples apples")
The output will be:
I have 4 apples
Swift
In Swift you can create a new String value from a combination of constants, variables, literals, and expressions by including their values inside a string literal. Each item that you insert into the string literal is wrapped in a pair of parentheses, prefixed by a backslash.
let apples = 4 println("I have \(apples) apples")
The output will be:
I have 4 apples
Security issues
String Interpolation, like string concatenation, may lead to security problems. When failed to properly escape or filter user input data, system will expose to SQL injection, script injection, XML External Entity Injection (XXE), and cross-site scripting (XSS) attacks.[2]
An example of SQL injection will be like this:
query = "SELECT x, y, z FROM TABLE WHERE id='$id' "
If $id is replaced with "'; ", executing this query will wipe out all the data in Table.DELETE FROM TABLE; SELECT * FROM TABLE WHERE id='
