-1

I made a function for my website that converts special characters, in case someone will try to break out the system using colon, semicolons, single quotes or double quotes. I made an array of find which is the find variable in str_replace and change which will be exchanged.

$find = array('"','\'','<3');
$change = array('&quot;','&apos;','&hearts;');
$str = "This is a test ' " <3.";

$str = str_replace($find, $change, $str);
echo $str;

It literally prints the codes like &quot and supposedly it should be echoed as double quotes ("). I refreshed the page. It is still echoing the actual code.

Any help?

itwasntme
  • 1,442
  • 4
  • 21
  • 28
Bido262
  • 149
  • 1
  • 1
  • 8
  • What does the *raw* server output look like? Try with `curl` on the command line or such to remove any confusion a browser might add. – deceze Aug 19 '15 at 10:34
  • What you mean? can u add an answer directly so that i could learn something. – Bido262 Aug 19 '15 at 10:35
  • 1
    It's not an answer just yet, I'm asking you to debug more. Do you know how to use a command line to run `curl`? – deceze Aug 19 '15 at 10:36
  • Nope, i actually dont know what curl is – Bido262 Aug 19 '15 at 10:37
  • Then forget that. Use "View Source" of your browser then to see the raw source the browser received. Note: *not "Inspect Element"* or such. – deceze Aug 19 '15 at 10:38
  • Just provide a answer. I cang understand view the raw source. You mean inspect element? There is no other way to view page source without inspect element. – Bido262 Aug 19 '15 at 10:40
  • if you press `ctrl + u` you can view page source – anurupr Aug 19 '15 at 10:46
  • Nobody can answer your question, which is why I'm asking you to debug more! We need more information to diagnose this for you! Figure out how to "View Source" on whatever browser you're using (again, no information here). Tell us what exactly the source looks like. – deceze Aug 19 '15 at 10:49
  • 1
    For XSS protection, you should be using `htmlspecialchars`. (For your additional stuff, like replacing certain character combinations with named entities, you should use an additional function that runs after that.) – CBroe Aug 19 '15 at 10:50

1 Answers1

2

Your code works, but you must to take care with the PHP quotes in the string:

$find = array('"','\'','<3');
$change = array('&quot;','&apos;','&hearts;');
$str = "This is a test ' \" <3.\""; // look at this line

$str = str_replace($find, $change, $str);
echo $str;

This works. See it working: http://phpfiddle.org/lite?code=

Marcos Pérez Gude
  • 21,869
  • 4
  • 38
  • 69
  • the phpfiddle is missing the code query. Cant view it. And btw, what if someone enter the double quotes only like just typing the (") and clicking submit? It will still break the system. – Bido262 Aug 19 '15 at 10:47
  • You must to use `htmlentities()` function: http://php.net/manual/es/function.htmlentities.php To view how it runs in phpfiddle, just copy and paste my code in phpfiddle.org. I don't know how the link doesnt run – Marcos Pérez Gude Aug 19 '15 at 10:54
  • Thanks so much, great. Really appreciated this. – Bido262 Aug 20 '15 at 11:27