How to use str_replace to replace single and double quotes

Question

I have to create a login in form which a user will insert a username and a password. I have to ensure that html entities are not processed, and I can not allow single quotes or double quotes to be processed either. I must echo the data entered into the form and display it.

I must use htmlentities and str_replace. I have the htmlentities correct, but am unsure on how to utilize the str_replace function to replace the single and double quotes that the user might enter into the form. Any help would be awesome.

Here is my current PHP (which works)

<?php
$username = htmlspecialchars($_POST['username']);
$password    = htmlspecialchars($_POST['password']);
$comment = htmlspecialchars($_POST['comment']);
?>
<html>
<body>
Your username is: <?php echo $username; ?><br />
Your password: <?php echo $password; ?><br />
Your Comment was: <?php echo $comment; ?>

What's wrong with the quotes ? It will do nothing harmful according to your code. (You are not using a database. PHP can handle slashes automatically) — AKS, Feb 07 '13 at 05:01
That is what the instructor wants. He wants to make sure we know how to the str_function. So far it has only made my head hurt ( I am very new to PHP) — Jeremy Flaugher, Feb 07 '13 at 05:03

score 22 · Accepted Answer · edited Jul 12 '22 at 08:40

First of all, it is always better to check for the unwanted characters and get back to the user, than silently stripping them. Say, a user added a quote to their password, you removed it, and so they won't be able to login at all! So it's better to check and tell the user instead:

if (!ctype_alnum($username)) { 
    $errors[] = "Only letters and numbers allowed in username";
}
...
if ($errors) {
    echo "You've got some errors, please fix them: ". implode("<br>", $errors);
} else {
    // proceed with normal flow

But in this specific case I would advise against replacing any characters. Imagine Shaquille "Shaq" O'Neal is going to register on your site. What's the point in stripping him of all those quotes? Let alone the password, where use of punctuation is strongly encouraged.

After all, those quotes don't do any harm, if you properly handle them.

for HTML, simply use htmlspecialchars() with ENT_QUOTES attribute:

  Your username is: <?= htmlspecialchars($username, ENT_QUOTES) ?><br />

for SQL, use prepared statements to avoid any problems with quotes

But just for sake of literal answer, here is how to remove quotes (or any other characters and even multi-character substrings) in PHP

$yourVariable = "scor\"pi'on";
$substringsToRemove = ['\'', '"'];
$yourVariable = str_replace($substringsToRemove, "", $yourVariable);

score 4 · Answer 2 · answered Aug 25 '15 at 10:34

4

 $keyItem = str_replace ("'","\'",$keyItem);

This replaces a single quote with an 'escaped' single quote \' .

answered Aug 25 '15 at 10:34

user462990

5,472
3
33
35

Barmar · Answer 3 · 2013-02-07T05:47:26.667

3

$username = htmlentities(str_replace(array('"', "'"), '', $_POST['username']));

edited Feb 07 '13 at 05:47

answered Feb 07 '13 at 05:22

Barmar

741,623
53
500
612

Samuel Liew · Answer 4 · 2013-02-07T06:00:18.370

1

$username = str_replace(array("'", "\""), "", htmlspecialchars($_POST['username']));

edited Feb 07 '13 at 06:00

answered Feb 07 '13 at 04:55

Samuel Liew

76,741
107
159
260

score 0 · Answer 5 · answered Feb 07 '13 at 04:55

0

Try the below code to replace double quotes

str_replace(chr(34), "replace_with", $content);

For single quotes

str_replace("'", "replace_with", $content);

answered Feb 07 '13 at 04:55

Techie

44,706
42
157
243

score 0 · Answer 6 · edited Apr 15 '15 at 20:39

0

To delete quotes, you can use this:

$search = 'cars "black" in ...';
$search = str_replace("\"", "", $search);
// result: "cars black in ..."

edited Apr 15 '15 at 20:39

Emil

7,220
17
76
135

answered Apr 15 '15 at 17:43

BX16Soupapes

39
2

score -1 · Answer 7 · edited Nov 03 '15 at 21:34

-1

$username_test = $_POST['username'];
$username = str_replace(array("'", "\"", "&quot;"), "",htmlspecialchars($username_test) );


//same for password :)

edited Nov 03 '15 at 21:34

Cleb

25,102
20
116
151

answered Nov 03 '15 at 21:07

rahul

59
1
1

1

Could you add some details of why this should work? Code-only answers are not very useful and are subject to deletion. – Cristik Nov 04 '15 at 14:14
In this example we will search username.Lets suppose it is cris'tik.Now it would find the quote(') in the username and replace it with space.Answer was relevant to question so I didn't thought explanation is needed. – rahul Nov 04 '15 at 19:18
1

even if the asker wanted only the code (doesn't look to be the case here though), and for him your answer would be enough, one of the qualities of SO is the fact that answerers also try to educate people instead of giving them copy&paste answers. This is why an answer explaining the solution is received much better and gets more votes than other ones that don't. – Cristik Nov 04 '15 at 19:50

How to use str_replace to replace single and double quotes

7 Answers7

Linked

Related