Jump to content

Escaping Quotes


rarebit

Recommended Posts

Hi,

I write some config files for my site, I do this by outputting php and then just including it. Until now it's just been me using it, but now others are possible errors can appear. Basically I need to allow all types of quotes in strings from form text and textarea, and then preferably use without using any functions. For instance in the following example I want to be able to do it without having to 'stripslashes' at the print statements.

 

<?php
error_reporting(E_ALL);

$filename = "config.php";

function file_write($fn, $s)
{
$fp = fopen($fn, "w");
fwrite($fp, $s);
fclose($fp);
return 0;
}

function prepare_file($ptitle, $ptagline)
{
$s = "<?php\n";
$s .= "\$title = '".$ptitle."';\n";
$s .= "\$tagline = '".$ptagline."';\n";
$s .= "?>\n";
return $s;
}

if(isset($_POST['UPDATE']))
{
$ptitle = addslashes($_POST['title']);
$ptagline = addslashes($_POST['tagline']);

$s = prepare_file($ptitle, $ptagline);
file_write($filename, $s);
}

include($filename);

print stripslashes($title);
print stripslashes($tagline);
print "<br><br>";

print "<form method='POST' action=''><table>";
print "<tr valign='top'><td align='right'>Title:</td><td><input type='text' name='title' size='32' value='".htmlentities(stripslashes($title), ENT_QUOTES)."'></td></tr>";
print "<tr valign='top'><td align='right'>Tagline:</td><td><textarea name='tagline' rows='7' cols='32'>".htmlentities(stripslashes($tagline), ENT_QUOTES)."</textarea></td></tr>";
print "<tr valign='top'><td align='right'><br></td><td><input type='submit' name='UPDATE' value='Update'></td></tr>";
print "</table></form>";
?>

 

and the config file can look like this...

<?php
$title = '<h3>\'My\'    \"Titles\"</h3>';
$tagline = '\"The\"    \'taglines\'';
?>

 

How can this be done please?

Link to comment
https://forums.phpfreaks.com/topic/121940-escaping-quotes/
Share on other sites

Instead of adding slashes, do a str_replace.

 

Double quotes can be represented as &#34; and single quotes can be represented as &#39;. So once the data is submitted, use str_replace:

 

Example:

$teh_textarea = str_replace(array("\"", "'"), array("&#34", "&#39") $teh_textarea_value);

 

Does that help?

Link to comment
https://forums.phpfreaks.com/topic/121940-escaping-quotes/#findComment-629367
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.