How do I strip quotes from an input box using PHP?

Question

I have this:

<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />

I want to strip quotes from user input so that if someone enters something like: "This is my title" it wont mess up my code.

I tried this and it's not working:

$inputData['title'] = str_replace('"', '', $_POST['title']);

Answer 1

If I understand the question correctly, you want to remove " from $inputData['title'], so your HTML code is not messed up?

If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.

Considering you are generating HTML, **you should use the [`htmlspecialchars`][1] function**; this way, double-quotes *(and a couple of other characters)* will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.

For instance:

echo '<input name="title" type="text" class="inputMedium" value="'
   . htmlspecialchars($inputData['title'])
   . '" />';

Note: depending on your situation (especially, about the encoding/charset you might be using), you might to pass some additional parameters to htmlspecialchars.

Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.

For instance:

• If you are generating some XML or HTML, you should use htmlspecialchars
• If you are generating some SQL, you should use mysql_real_escape_string, or an equivalent, depending on the type of database you're working with

Answer 2

User input should be run through htmlspecialchars() to be used in this sort of case.

Answer 3

I highly recommend you to use htmlentities($string, ENT_QUOTES) before displaying anything user generated anywhere...