3

Doing a uni assignment with HTML, XML and php 5.3 (no SQL). Building a review website. I have a textarea in which the user can place their comments. If the user enters an apostrophe, eg World's Best Uni!, when I echo $_REQUEST['reviewtext'] I get World\'s Best Uni!

To massage the data for saving in the XML, I have the following code:

$cleantext1 = htmlspecialchars($_REQUEST['reviewtext']);
substr_replace($cleantext1,"\'","'");
$cleantext2 = strip_tags($cleantext1);
$cleantext3 = utf8_encode($cleantext2);

I have echo's at each step an the quote remains World\'s Best Uni! at each step. I expected the one of the first two lines to replace the escaped apostrophe with an html code but it doesn't seem to work.

Interestingly, this problem doesn't happen on my local XAMPP server; only on my hosted website.

Any suggestions? Thanks, Sean

srodden
  • 57
  • 1
  • 4

3 Answers3

8

What you are experiencing is PHP's Magic Quotes feature which is automatically escaping input from GET, POST, COOKIE. It is not wise to rely on this feature, and is deprecated as of PHP 5.3, and tends to default to off on most configurations (but not in your Uni's config).

You can use get_magic_quotes_gpc() to determine if this is turned on, and if so, unescape the data.

if (get_magic_quotes_gpc()) {
    $val = stripslashes($_POST['val']);
} else {
    $val = $_POST['val'];
}

The magic quotes reference goes into more detail on the history, usage, and how to deal with magic quotes.

Also, just an aside, when you output data, always make sure you escape it (e.g. htmlspecialchars() and when you process input from any untrusted source, make sure to filter it (e.g. addslashes(), mysql_real_escape_string()).

drew010
  • 68,777
  • 11
  • 134
  • 162
2

Try switching off magic quotes (a PITA IMO!). (as posted above while I was typing my response drew's method would be the most flexible for portability. By the way, no need to declare new variables if you aren't going to process variables different ways. so after you clean the text with htmlspecialchars, I would toss it into $cleanreview. Also you are not specifying a character encoding which can come back to bite you. I use UTF-8 since it seem like the most forward thinking encoding that's already widely supported.

http://www.php.net/manual/en/function.htmlspecialchars.php

BTEW, I'm a stickler for proper punctuation too so in my code I replace the html entities on output:

$syn = str_replace("'", "’", $syn);
$syn = str_replace("“", "“", $syn);
$syn = str_replace("”", "”", $syn);
$syn = str_replace(" -- ", "—", $syn);

But of course that's assuming UTF-8 being declared in your html (first item after the tag for speed).

M Noivad
  • 96
  • 7
  • Worrying about perfect punctuation is out of the scope of the assignment :) Thanks for the comments on reusing variables and utf8 encoding. – srodden Feb 17 '12 at 07:40
  • Heh. For most people this is out of scope because they do not know the difference between a apostrophe and a foot mark. Only professional typesetter, copy editors and people that appreciate proper typography care about it. If you are doing this for a personal project, then by all means, decide what level of professionalism you are comfortable with. If it is a project for your work or a client, you probably are not going to lose your job over not doing it properly anyway. So, there is no need to bother with it, from a certain point of view. – M Noivad May 08 '12 at 17:33
0

This effect of automatical escaping of some characters is called "magic quotes" and can be turned on/off in the php.ini configuration file. Apparently, in the configuration of your local server it is turned off, while on the server it is on.

For more info, just consult the PHP reference for "magic quotes".

Imp
  • 8,409
  • 1
  • 25
  • 36