0

I'm trying to convert a single quote into its relevant HTML code for database insertion, but it does not appear to be working. When I create the following script:

<?php
 $str = "& and ' and \" and < and >";
 echo htmlspecialchars($str);
?>

My browser returns the following:

&amp; and ' and &quot; and &lt; and &gt;

What am I doing wrong? I've read the PHP manual on htmlspecialchars() function and it says it applies to single quotes, but it doesn't seem to be working for me.

Malignus
  • 73
  • 1
  • 2
  • 6

1 Answers1

2

Use htmlentities() with the flag ENT_QUOTES. From the manual:

ENT_QUOTES Will convert both double and single quotes.

htmlentities($text, ENT_QUOTES);

If you just want to replace ' to &#39; you could use str_replace(), of course:

str_replace("'", "&#39;", $text);

However, since you want to insert the data into SQL code, please look into prepared statements in PDO or MySQLi. These functions serve the exact purpose you need (from what I can tell) and will be better than your own function. After all, why reinvent the wheel?

Just for the record, be sure not to use the deprecated MySQL functions in PHP – as explained in _Why shouldn't I use mysql__* functions in PHP?.

Community
  • 1
  • 1
ljacqu
  • 2,132
  • 1
  • 17
  • 21
  • @ljacqu: Thank you! I'm just getting started, so PDO is over my head, at the moment. I'll look into it. :) – Malignus Jul 19 '14 at 06:26
  • @Malignus I think MySQLi is a little friendlier in that aspect. I only know PDO, so I can't tell, but from the code I've seen it may be more straightforward. – ljacqu Jul 19 '14 at 06:27