How do I strip quotes from an input box using PHP
Question
I have this:
<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />
I want to strip quotes from user input so that if someone enters something like: "This is my title" it wont mess up my code.
I tried this and it's not working: $inputData['title'] = str_replace('"', '', $_POST['title']);
3 answers
solution1
5 ACCPTED 2010-02-17 20:35:27
If I understand the question correctly, you want to remove " from $inputData['title'] so your HTML code is not messed up ?
If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.
Considering you are generating HTML, you should use the htmlspecialchars function ; this way, double-quotes (and a couple of other characters) will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.
For instance :
echo '<input name="title" type="text" class="inputMedium" value="'
. htmlspecialchars($inputData['title'])
. '" />';
Note : depending on your situation (especially, about the encoding/charset you might be using) , you might to pass some additionnal parameters to htmlspecialchars .
Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.
For instance :
- If you are generating some XML or HTML, you should use
htmlspecialchars - If you are generating some SQL, you should use
mysql_real_escape_string, or an equivalent, depending on the type of database you're working with
solution2
1 2010-02-17 20:34:51
用户输入应该通过htmlspecialchars()来运行,以便在这种情况下使用。
solution3
-2 2010-02-17 20:35:18
我强烈建议你在显示用户生成的任何地方之前使用htmlentities($ string,ENT_QUOTES) ...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.