Some of you may be familiar with the heredoc string handler which allows multi-line strings to be easily assigned to a variable, this great tool has many uses - such as retaining pre-formatted layout and improving the readability of code. The heredoc handler also parses variables contained within the string - much the same way that using double quotes does. Replacing any variables with their respective values

This has some not so obvious drawbacks, one of which i discovered whilst trying to inject complex PHP code into a database for later evaluation via the eval() statement. (please don't ask why)

The problem I found was that whilst it was easy to escape the string so that it would not break the SQL statement, The same escape characters also broke the evaluation. This might not have been an issue in any other situation, but for this particular project i did not have access to the code that carried out the evaluation so that I could strip the escape characters out before running the eval query.

However, PHP 5.3 has now introduced the nowdoc syntax - this basically operates in the same manner as heredoc, but does not parse any of the content. This means that not only are variables not parsed, but neither are any characters that would normally require escaping. In essence, any string read into a variable by the nowdoc handler will not require any escaping whatsoever.

heredoc format

$somevar = <<your multi
line text
$here
EOF;

nowdoc format

$somevar = <<your multi
line text
$here
EOF;

Th difference is only a small one - the nowdoc syntax has single quotes around the identifier.

A great fix for an annoying issue, but one that is unfortunately not without it's caveats, the biggest one being that PHP 5.3 is still relatively new and there is no backwards equivalent.