$foo = <%= bar %>
if bar is being passed in as just baz (no quotes) php will complain.
if bar is being passed in as "baz" (with quotes) it will work fine.
if I do something like:
$foo = "<%= bar %>"
bar can be passed in directly without quotes and it will Just Work
however, should bar contain a quote, it will break the php.
Additionally, should bar contain any malicious code, people could inject php code into my script, which I also do not want.
So, what I'd like is for bar to be quoted by the template and properly escaped so that the contents of bar are completely safe, no matter what. Something like erb's u() and h() methods for url-escaping and html-escaping.