Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I strip quotes from an input box using PHP

Tags:

replace

php

quotes

user-input

I have this:

<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />

I want to strip quotes from user input so that if someone enters something like: "This is my title" it wont mess up my code.

I tried this and it's not working:

$inputData['title'] = str_replace('"', '', $_POST['title']);
like image 387
Babak Avatar asked Feb 17 '10 20:02

Babak

People also ask

How do I strip a quote in PHP?

Try this: str_replace('"', "", $string); str_replace("'", "", $string); Otherwise, go for some regex, this will work for html quotes for example: preg_replace("/<!

How do you strip a quote from a string?

To remove double quotes from a string:Call the replace() method on the string. The replace method will replace each occurrence of a double quote with an empty string. The replace method will return a new string with all double quotes removed.

1 Answers

If I understand the question correctly, you want to remove " from $inputData['title'], so your HTML code is not messed up?

If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.


Considering you are generating HTML, **you should use the [`htmlspecialchars`][1] function**; this way, double-quotes *(and a couple of other characters)* will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.

For instance:

echo '<input name="title" type="text" class="inputMedium" value="'
   . htmlspecialchars($inputData['title'])
   . '" />';

Note: depending on your situation (especially, about the encoding/charset you might be using), you might to pass some additional parameters to htmlspecialchars.

Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.

For instance:

  • If you are generating some XML or HTML, you should use htmlspecialchars
  • If you are generating some SQL, you should use mysql_real_escape_string, or an equivalent, depending on the type of database you're working with
like image 75
Pascal MARTIN Avatar answered Oct 20 '22 00:10

Pascal MARTIN
Sign in to Comment

Related questions

How to do directed graph drawing in PHP?
Advice on a Canadian SMS Gateway provider [closed]
Why is the CakePHP password field is empty when trying to access it using $this->data?
Should PHP session be created before login or after successful login
OpenID Library for PHP 5.3 [closed]
Best PHP Workflow [closed]
Experience with protecting PHP code
How much "unlearning" when I move to a PHP framework
Questions regarding Lighttpd for Windows
PDO + SqlAnywhere, its possible?
Is searching PHP array faster than search/retrieve from MySQL
Handling foreign key exceptions in PHP
List of openid urls [duplicate]
CakePHP admin panel
how do php's declare(ticks) really work?
check if a users has already logged in?
What type of errors actually happen with mySQL/PHP
REST API in PHP output to JSON file extension
Why is there a mime type inconsistency with firefox, chrome?
How to Install ITL extension

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!