stripslash acting weird or is that normal?

Question

I have a database var that contains

5/8\" Cabinet Grade Plywood

the \\ being added by either WP or SQL to escape the ".

when retrieving this var i use stripslashes() both in in the value of the field used to edit that table (so that the next time someone want to edit that field he/she will see whats in that input already) and in the actual website where it suppose to appear.

The weird thing is ..

in the field it cuts from 5/8\\" Cabinet Grade Plywood to just 5/8

and in the website where it suppose to appear it shows normally without slashes or anything unusual.

this is how I stripslash the field:

$somevar = '<input value="'.stripslashes($currentselected['something']).'" class="niceclass" name="something" type="text" />';

and this is how I use it when it appears on page:

 <td><span style="font-size: larger;"><?php echo stripslashes($goods['verygood']); ?></span></td>

Answer 1

it simply collides with HTML markup

<input value="'.stripslashes($currentselected['something']).'"/>

will result in

<input value="5/8" Cabinet Grade Plywood" />

take a look on those ", its broken right there, you need to escape those "

to fix this use urlencode function in php

<input value="'.urlencode(stripslashes($currentselected['something'])).'"/>

or htmlspecialchars function, it should replace quotes with

"

Answer 2

You could use some htmlspecialchars on the output. The " has special meaning in HTML, and in this case would actually be seen as the closing of the value attribute of the input . Thus, you should escape it ( htmlspecialchars will translate " to " ).