[RESOLVED] Inconsistent behavior with str_replace on single quote

mottwsc

I'm checking an input field and replacing all instances of a single quote with &#39 for proper redisplay.

$firstNameClean = trim($_POST[firstName]);
if( !ereg("^([A-Za-z'. -]{2,30})+$", $firstNameClean) )
{ 
	$message = 
	$message."You have not provided a valid first name.<br>";
	$firstNameClean = str_replace("'", "&#39", $firstNameClean);
}

However, I seem to get different results with different cases:
aba redisplays aba
'aba redisplays nothing
'aba' redisplays nothing
aba'cdc redisplays aba
aba'cdc" redisplays aba'cdc"
'aba'cdc" redisplays 'aba'cdc"

Can anyone provide advice as to how to deal with the single quote situation to get consistent results?

Thank you.

dptr1988

If you are doing this to prepare your strings for HTML, you can use htmlspecialchars()

http://us2.php.net/manual/en/function.htmlspecialchars.php

reddrum

Try this

$firstNameClean = preg_replace("/\'/", "&#39",  $firstNameClean);

mottwsc

Thanks for the suggestion. I replaced the str_replace line with your preg_replace line. Unfortunately, that yields the same result.

In other scripts, I've been able to handle the single quote successfully because I use these before writing it to the database. On redisplay, it is handled fine.

$firstNameClean = str_replace("'", "&#39", $firstNameClean);

$firstNameClean = mysqli_real_escape_string($cxn, $firstNameClean);

In this case, however, I'm not writing to the database and then reading it again for display in a form. Instead, I'm just reading the input field through trim($_POST[firstName]) and then checking it with the code (shown in the prior post) before redisplaying it in the input field.

So, when I start with "John's car", I end up with "John" in the input field when it redisplays.

Any other suggestions (from anyone)?

Weedpacket

mottwsc wrote:
Any other suggestions (from anyone)?

You said it yourself:

$firstNameClean = str_replace("'", "&#38;#39;", $firstNameClean);

I'll just point out to anyone else reading this that this forum rewrites numeric entities (as it should, really): leaving the terminating semicolon off avoids that happening, which is why mottwsc has "&#39" instead of the proper "&#39;".

So, when I start with "John's car", I end up with "John" in the input field when it redisplays.

Hence dptr1988's suggestion.

mottwsc

That works. Thanks to all.