getting rid of quotes in strings

[smerny]

sick of trying to deal with them in multiple ways (entering in and taking from database, echoing, echoing within a text input, etc) so i would just like to get rid of them.

 

turn: bob's house

into: bobs house

 

tried string replace but i keep getting issues

[smerny]

nevermind, got it with this

 

str_replace(array("'",'"'), "", $str);

(single quotes around double quote, double quotes around single quote)

[ignace]

Provide some code if done correctly should have worked

[smerny]

if you are meaning a way to keep quotes with it working well, please just let me know what to do:

1) between getting information from user and storing into the database

2) between taking from database and echoing

3) between taking from database and echoing within a text input (if different)

 

currently i have:

$mapped = array_map ('mysql_real_escape_string', $_POST);
$_POST = array_map ('htmlspecialchars', $mapped);

before submitting to the database, when I pull from database into text input... it would turn:

 

bob's house

 

into:

 

bob\

 

 

[smerny]

and in the database it shows up as:

 

bob\'s house

[smerny]

suggestions?

[Daniel0]

That's because you're escaping them twice.

[smerny]

can you explain what i am doing wrong and let me know what i need to do to make it work right?

 

i did the sql escape to prevent injection and i did the htmlspecialchars to prevent people from putting html code in

[Daniel0]

No, I can't explain what you're doing wrong besides what I just told you. I'm visiting some family during the holidays and I left my crystal ball at home.

 

Somehow you are doing something that is resulting in double escaping. You may be calling things like mysql_real_escape_string() multiple times, or you have magic quotes turned on which means either 1) you're running PHP 4, in which case you should upgrade, or 2) you turned it on manually, in which case I have no idea why you would do that.

[smerny]

$mapped = array_map ('mysql_real_escape_string', $_POST);

$_POST = array_map ('htmlspecialchars', $mapped);

 

that's the only thing being done to POST data before being entered into the database

 

i'm on PHP 5

 

never messed with magic quotes, don't even know how to turn it on

[Daniel0]

Obviously your script consists of more code than that. How about the code where you actually execute the query?

[smerny]

	$action = "UPDATE penguins SET ";
$updated = array();

if($_POST['code']==$passcode){
	if($_POST['area'] != $peng['area'] && $_POST['area'] != ""){
		$action .= "area='{$_POST['area']}', ";
		$updated[] = "area";
		}
	if($_POST['type'] != $peng['type'] && $_POST['type'] != ""){
		$action .= "type='{$_POST['type']}', ";
		$updated[] = "type";
		}
	if($_POST['points'] != $peng['points'] && $_POST['points'] != ""){
		$action .= "points='{$_POST['points']}', ";
		$updated[] = "points";
		}
	}

if($_POST['location'] != $peng['location'] && $_POST['location'] != ""){
	$action .= "location='{$_POST['location']}', ";
	$updated[] = "location";
	}
if($_POST['trapped'] != $peng['trapped'] && $_POST['trapped'] != ""){
	$action .= "trapped='{$_POST['trapped']}', ";
	$updated[] = "trapped status";
	}
$action = substr_replace($action,"",-2);
$action .=" WHERE ID='{$id}'";	

$count = count($updated);
if($count == 0){
	echo "<div class='penghead'>You didn't change anything.</div>";
	return;
}
else{

	$result = mysql_query($action) or die("SQL Error: " . mysql_error());

[Daniel0]

Well, either you are escaping it twice or you're running with magic quotes turned on. Just escape it when you need it. It's bad practice making global changes anyway.