Those dreaded quotes...

Anon

DISCLAIMER:
I've had a hunt around on here already, but I'm still struggling (with quotes).

PROBLEM:
I'm taking information from a form in one page, then displaying it in the subsequent POST page. The problem is as follows; I've fudged single quote replacement using this code;

$text = str_replace("\'","'",$text);

Trouble is, I'd like to give the user the option of entering double quotes into the $text variable also. I replicated the single quote code above, but it doesn't appear to be working;

$text = str_replace("\"",""",$text);

when $text is printed to screen and it contains double quotes, they always appear as \" (still) in the HTML output, e.g;

$text contains the sentence "big fluffy animals"
When called to screen, it prints \"big fluffy animals\"

I've had a fiddle with my PHP.ini file, and this is what it looks like at present;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = On

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Sorry to be so anal when posting the details, just trying to be thorough. Any help would be greatly appreciated...

marcel

replace
$text = str_replace("\"",""",$text);
with
$text = str_replace("\\"","\"",$text);
or
$text = str_replace("\\"",'"',$text);

best solution:
exist function stripSlashes()

but.. is better to check first if you have magic_qoutes_gpc On or Off

if ( get_magic_quotes_gpc() )
$string = stripSlashes($string_);

Atenttion: if you want to INSERT $string in database is better to live the $string as original (escaped).

Anon

Thanks Marcell

I'm now using the following;

$text = striplashes ($text);

It works fine at the moment, but the $text entry will eventually be going into a database, for future reference and editing.

Basically, I've created a webpage maker in ColdFusion, and I'm translating it into PHP - it works in the following way;
1. Complete a content form (what text, links, etc. that you want to appear on the page).
2. Form entries are inserted (or ammended, if editing an existing page) into a table. 3. Table entries are extracted and placed into whatever page template the user chose via the original form.
4. Populated template is then saved as a HTML file, and a link to it added to the sitemap.

At the moment, I've skipped steps 2 and 4 in the PHP version, just displaying form entries from step 1 in a default template page. When I get around to adding the database and filesave support, are you saying that I should NOT be using stripslashes() BEFORE inserting the table entries?

marcel

yup...
usualy on web sites after user has complete a for we should provide a preview about what he/she has insert
I do like this:
if ( get_magic_quotes_gpc() )
$unescaped_string = stripSlashes($string);
echo $unescaped_string;

If user said OK
we should insert something in DB,
so we should keep the original $string for inserting .

eventualy we should escape single_qoute ( ' )
if magic_qoutes_gpc was Off...

depends what you want to do...
in any case the idea is: don't trust php.ini about magic_qoutes_gpc
(the file could be changed)

Always check with get_magic_quotes_gpc()

Anon

Thanks PM

That certainly makes sense to me now, especially with the "User Preview" function.

Very much appreciated!