Let us start from its definition, what is a string literal:
A string literal is zero or more characters enclosed in matching single or double quotes. Each character may be represented by an escape sequence
Coming from C# background, we are used to concepts of two forms of string literals, regular and verbatim
A regular string literal in c#
string g = “\\\\server\\share\\file.txt”;
You will get : \\server\share\file.txt
A verbatim string literal in c#
string h = @”\\server\share\file.txt”;
You will get: \\server\share\file.txt
As a lazy programmer I always like verbatim string, as you do not need to wind your brain around the escaping sequences, which I think it is not suitable to read for a human, which is why we as programmers have got a job to do, but as a programmer, I am also human, so naturally avoiding any unhuman thing… sorry for the rant. So I always use verbatim as it is WYSWYG.
Let me confuse you for a bit:
Do you reckon that you are going to get same [He’s my friend] from str1 and str2? yes you do!.
The confusing thing is you can get away with not escaping single quote in a double quotes delimited string, and not escaping double quote in a single quote delimited string. You can get away with those two by luck, but not in following situations:
1. Single quote and double quote can sometime be interpreted as quote without escaping as mentioned in above situations, but not other characters like \r return and \n new line
Example of this is
So how to avoid this?
<script> var myvar = <?= '"'.mysql_escape_string($myVarValue).'"'; ?>; </script>