Echo string with multiple variables

All of the following commands work but which one is considered correct in terms of security, compatibilit开发者_运维技巧y, speed, and other conventions?

//one
echo "$row->first_name $row->last_name <br />";

//two
echo $row->first_name . ' ' . $row->last_name .'<br />';

//three
echo $row->first_name;
echo $row->last_name;
echo '<br />';

Although not one of the styles you specified, I recommend using braces for echo-ing strings, mostly on compatibility note.

echo "Welcome back, {$row->first_name} {$row->last_name}";

More information about this type of syntax can be found in PHP Strings.

There's absolutely no difference in terms of security among the choices you posted. I'd go for something along the lines of:

<p class="name"><?php echo htmlspecialchars("$row->first_name $row->last_name"); ?></p>

• no <br />, they're not usually a good choice
• do your styling in CSS using classes
• escape output (security!!)
• separate HTML from PHP values
• minimal syntax
• the speed difference won't matter

all of them are fine.

in terms of speed, the first option is probably the fastest but also the most annoying to read.. third one is just dumb.

I'd go with the second one because that's how I've seen it used in commercial php software

Number one is the best option, it is readable and most likely the fastest despite PHP having to parse for variables (compared to multiple concatenation). The SO Question here demonstrates how concatenation can slow you down. The third option is just plain unreadable, and relatively slow due to the concatenation at the end. None of them have any kind of security issues, and even the performance gains are really negligible - for this kind of thing your goal should be readability.

All of them are fine as long as you have everything escaped/encoded properly. I'd go with the first one because it's the shortest and easiest to read.

Edit: I just did a small benchmark, and the second method is the slowest. The first method is the second-slowest. The third method is the fastest of the ones you posted, but the one Sinan suggested was about as performant.

I would say that being more explicit is the best way to go. I would also expect it to take longer for PHP to parse 1 because it has to determine if the tokens are variables inside the string or just part of the string. I lean towards 2, but sometimes you may have to split your strings into new lines because of keep things under something like 72 columns in keeping with code styling guidelines. What I would suggest is to look up different code style guides like the one for Zend (http://framework.zend.com/manual/en/coding-standard.coding-style.html).

As others have said, there is no difference in security just speed/preference.

But one thing to add, don't escape output on the fly. It's better to filter it before it get stored in the database (single request) then keep doing it for every single request in the future.