Adding/Escaping Slashes Problem

Adeus · May 8, 2008

I have the following textarea in a form:

<textarea name="special" cols="32" rows="3" id="special"></textarea>

Upon submitting the form, it is stored in $_POST['special'] and passed again through the following hidden input field:

<input type=\"hidden\" name=\"special\" value=\"".$_POST['special']."\" />

Finally, it is presented in step 3 of the process:

if (isset($_POST['special']) && $_POST['special'] != "") {
	$special_prompt = "<p><span class=\"red\">Special Requests:</span> ".stripslashes(stripslashes(nl2br($_POST['special'])))."</p>";
} else {
	$special_prompt = "";
}

Here is an example of what it is doing:

//$_POST['special'] = Here's a single quote.
echo $special_prompt; //returns: Here's some copy.

//$_POST['special'] = Here's some "double quotes."
echo $special_prompt; //returns: Here's some

As you can see, it is cutting the string off where the double quotes begin. Any ideas?

discomatt · May 8, 2008

htmlentities()

BlueSkyIS · May 8, 2008

i use htmlspecialchars() with ENT_QUOTES, but I single-quote all field values, e.g.,

$the_string = "Hello! Don't mess up with this single quote.";
$output = "<INPUT TYPE='text' NAME='somefield' VALUE='".htmlspecialchars($the_string, ENT_QUOTES)."'>";

benphp · May 8, 2008

<?php
if (isset($_POST['special']) && $_POST['special'] != "") {
$special = nl2br($_POST['special']);
$special = str_replace('"', "&#34;", $special);
$special = stripslashes($special);
$special_prompt = "<p><span class=\"red\">Special Requests:</span> $special </p>";
} else {
$special_prompt = "";
}
?>

Shit - the js on this site is fing up my code. The line should be:

$special = str_replace('"', "[apmersand][pound][thirty four][semicolon]", $special);

BlueSkyIS · May 8, 2008

don't forget the myriad other characters that can screw up HTML. for instance, greater than, less than, exclamation point, and many others. use htmlspecialchars() to avoid having to str_replace() for every single possibility.

benphp · May 8, 2008

I use a function that allows me greater control over what is replaced and when.

Note that the code below will be screwed due to this site's JS:

<?php
function fnTick($string) {
$string = str_replace("'", "&#39;", $string); 	
$string = str_replace('/', "&#47;", $string);
$string = str_replace('<?', "<&#63;", $string);
$string = str_replace('=', "&#61;", $string);
$string = str_replace('?>', "&#63;>", $string);
$string = str_replace('?', "&#63;", $string);
$string = str_replace("\r", " <br /> ", $string);
$string = str_replace("\r", "", $string);
$string = str_replace("\n", "", $string);
$string = str_replace('"', "&#34;", $string);
$string = str_replace('!', "&#33;", $string);
$string = str_replace('$', "&#36;", $string);
$string = str_replace('%', "&#37;", $string);
$string = str_replace('(', "&#40;", $string);
$string = str_replace(')', "&#41;", $string);
$string = str_replace('*', "&#42;", $string);
$string = stripslashes($string);
return $string;
}
?>

BlueSkyIS · May 8, 2008

hm, that doesn't work for me for form inputs:

<?php
function fnTick($string) {
$string = str_replace("'", "&#38;#39;", $string); 	
$string = str_replace('/', "&#38;#47;", $string);
$string = str_replace('<?', "<&#38;#63;", $string);
$string = str_replace('=', "&#38;#61;", $string);
$string = str_replace('?>', "&#63;>", $string);
$string = str_replace('?', "&#63;", $string);
$string = str_replace("\r", " <br /> ", $string);
$string = str_replace("\r", "", $string);
$string = str_replace("\n", "", $string);
$string = str_replace('"', "&#34;", $string);
$string = str_replace('!', "&#33;", $string);
$string = str_replace('$', "&#36;", $string);
$string = str_replace('%', "&#37;", $string);
$string = str_replace('(', "&#40;", $string);
$string = str_replace(')', "&#41;", $string);
$string = str_replace('*', "&#42;", $string);
$string = stripslashes($string);
return $string;
}

$content = "What><!-- Happen't to this?>";
?>
<HTML>
<BODY>
<FORM>
<INPUT TYPE='TEXT' NAME='testtext' VALUE='<?=fnTick($content);?>'>
</FORM>
</BODY>
</HTML>

output:

a text field with the following in it:

What><!-- Happen't to this?>

I don't want that code visible nor in the input.

benphp · May 8, 2008

The javascript on this site screws up the code:

$string = str_replace("'", "&#38;#39;", $string);

is all wrong. It should be

$string = str_replace("'", "[ampersand]#39;", $string);

I'll try it outside of the code tags:

function fnTick($string) {

$string = str_replace("'", "'", $string);

$string = str_replace('/', "/", $string);

$string = str_replace('<?', "<?", $string);

$string = str_replace('=', "=", $string);

$string = str_replace('?>', "?>", $string);

$string = str_replace('?', "?", $string);

$string = str_replace("\r", " ***br /*** ", $string); //replace *** with less/greater than

$string = str_replace("\r", "", $string);

$string = str_replace("\n", "", $string);

$string = str_replace('"', """, $string);

$string = str_replace('!', "!", $string);

$string = str_replace('$', "$", $string);

$string = str_replace('%', "%", $string);

$string = str_replace('(', "(", $string);

$string = str_replace(')', ")", $string);

$string = str_replace('*', "*", $string);

$string = stripslashes($string);

return $string;

}

Adeus · May 8, 2008

Hrm, I've tried all these ideas and I still can't get it to work right.

My latest attempt:


//$_POST['special'] is from a <textarea> with value = "Here are some "quotes.""

if (isset($_POST['special']) && $_POST['special'] != "") {
	$special_prompt = "<p><span class='red'>Special Requests:</span> ".stripslashes(stripslashes(nl2br(htmlentities($_POST['special'], ENT_QUOTES))))."</p>";
} else {
	$special_prompt = "";
}

echo $special_prompt;
//returns: Here are some

I'm starting to think it may not be carrying over from the textarea correctly... going to do some more testing.

BlueSkyIS · May 8, 2008

you don't want to use htmlentities.

Adeus · May 8, 2008

I changed it to htmlspecialchars, everything works (', ?>, >, <, etc...) except double quotes. When I echo "$_POST['special'], it returns everything before the double quotes followed by 2 slashes (\\) and nothing after that.

BlueSkyIS · May 8, 2008

i use htmlspecialchars() with ENT_QUOTES, but I single-quote all field values, e.g.,
$the_string = "Hello! Don't mess up with this single quote.";
$output = "<INPUT TYPE='text' NAME='somefield' VALUE='".htmlspecialchars($the_string, ENT_QUOTES)."'>";

if you're using double-quoted field values, you'll need to use ENT_NOQUOTES

$output = '<INPUT TYPE="text" NAME="somefield" VALUE="'.htmlspecialchars($the_string, ENT_NOQUOTES).'">';

i prefer single-quoted form values for several reasons.

Sign In

Adding/Escaping Slashes Problem

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information