8

I know there are other ways of of escaping only single quotes (such as this answer), but it appears to me that there should be a way using htmlspecialchars().

According to the manual, it should be some combination of their constants, but based on their explanations, I don't see it.

Is it possible to escape only single quotes, leaving the double quotes alone, with htmlspecialchars()?

Community
  • 1
  • 1
Luke Shaheen
  • 4,262
  • 12
  • 52
  • 82
  • 4
    Why do you need this? It seems like a problem to me. – Halcyon May 14 '12 at 21:05
  • 1
    if it's just single quotes, then use str_replace – Marc B May 14 '12 at 21:06
  • [This](http://www.php.net/manual/en/function.htmlspecialchars.php#99185) might help – Sunil Kartikey May 14 '12 at 21:19
  • @FritsvanCampen Why do I need this? I'm using "Google Visualizations: Table", which requires me to send the data via javascript. I've wrote a PHP function to build this javascript from data passed to the function, and I'd rather just have the PHP function internally escape the single quotes (used to mark a string in the passed javascript to Google), rather than having to escape the data before I pass it to the function. But, sometimes that data passed to the PHP function contains HTML, which I do not want to escape. Make sense? – Luke Shaheen May 15 '12 at 18:26
  • If you're sending JavaScript use `json_encode`? – Halcyon May 15 '12 at 23:39

3 Answers3

13

Here's the combination of constants you're looking for.

$escaped_string = htmlspecialchars($string, ENT_QUOTES & ~ENT_COMPAT, $encoding);

This will escape & ' < >, but leaves " alone. ENT_QUOTES & ~ENT_COMPAT is bit manipulation language meaning "both quotes, minus the double quotes".

This works because of how these constants are defined. php-src/ext/standard/html.h

#define ENT_HTML_QUOTE_NONE         0
#define ENT_HTML_QUOTE_SINGLE       1
#define ENT_HTML_QUOTE_DOUBLE       2

#define ENT_COMPAT      ENT_HTML_QUOTE_DOUBLE
#define ENT_QUOTES      (ENT_HTML_QUOTE_DOUBLE | ENT_HTML_QUOTE_SINGLE)
#define ENT_NOQUOTES    ENT_HTML_QUOTE_NONE

Why would you ever want to escape single quotes, but not double quotes? Well, the inverse of the reason you'd escape double quotes, but not single quotes: because you've got a string with lots of " double quotes and only a few ' single quotes, so you'd like to stick it in a '-delimited string.

An example:

<div data-myobject='<?= htmlspecialchars(json_encode($myobject), ENT_QUOTES & ~ENT_COMPAT, 'UTF-8') ?>'

json_encode() creates lots of double quotes, so it makes sense to stick the result in a single-quote delimited attribute, and leave the double quotes unescaped.

Grilse
  • 3,491
  • 2
  • 28
  • 35
  • I know this is an old and closed question, but I couldn't find an answer to the original question anywhere, so I decided to post one. – Grilse Jun 18 '12 at 09:44
  • This should be the answer. I prefer `ENT_HTML5 | ENT_QUOTES & ~ENT_COMPAT` myself. – Isius May 30 '14 at 19:08
11
str_replace("'", "\\'", $string);

There.

Or, use ENT_QUOTES

htmlspecialchars($string, ENT_QUOTES);
Norse
  • 5,674
  • 16
  • 50
  • 86
  • 1
    I seriously doubt `\'` is the intended replacement string, if the goal is to put it in a HTML document. –  May 14 '12 at 21:13
  • If he's trying to escape single quotes, that would be the intended string. – Norse May 14 '12 at 21:23
  • 1
    Escaping single quotes to put it in a `'`-delimited attribute means changing them to `'` (or equivalent, if there is an equivalent -- I'm not sure). Your other suggestion, `ENT_QUOTES`, also converts double quote characters, which the question asks to leave alone. –  May 14 '12 at 21:39
  • 1
    Final answer: used a combo of @hvd and Norse: `str_replace("'", "'");`, although I guess the technically correct answer to my question is `no, you cannot escape only single quotes with htmlspecialchars()`. – Luke Shaheen May 15 '12 at 18:23
1

Use htmlspecialchars(...)

Then str_replace(...) on a double quote

Cole Tobin
  • 9,206
  • 15
  • 49
  • 74