Quotes in a php var

Question

I am quite new in php. I have to store a img tag in a var. I think this is ok:

$fotoTag1 = "<img src='42.png'
alt='text alt'>";

But the problem comes if there is a single quote in the name of the photo or in the alt?. For intance, don't

What I have tried:

$fotoTag1 = "<img src='don't.svg' alt='don't>'";
echo htmlspecialchars ($fotoTag1);
echo addslashes($fotoTag1);

$fotoTag2 = "<img src='don\'t.svg' alt='don\'t'>";
echo $fotoTag2;

(This is a simplified example but the url and alt comes from a sql database and of course, I cannot change the text manually. I need a general solution)

Answer 1

Use htmlspecialchars() to properly encode the text fragments you use to build the HTML fragment, not the HTML you built:

$fotoTag1 = '<img src="'.htmlspecialchars("don't.svg").'" alt="'.htmlspecialchars("don't").'">';

Or, to be more clear:

// Wrapped for clarity
$fotoTag1 = sprintf(
    '<img src="%s" alt="%s">',
    htmlspecialchars("don't.svg"),
    htmlspecialchars("don't")
);

Read about sprintf() and the different ways to specify a string in PHP.

addslashes() doesn't help when you build HTML content. As a side note, it is an obsolete function that doesn't have many usages nowadays.

Answer 2

$fotoTag2 = "<img src=\"don't.svg\" alt=\"don't\">";
echo $fotoTag2;

Answer 3

$fotoTag1 = "<img src='don't.svg' alt='don't>'";

Your problem here has nothing to do with PHP.

You have an HTML attribute value delimited with apostrophe characters and you want to use an apostrophe inside that value.

When you want to represent a character with special meaning in HTML as that raw character, you can use a character reference.

This can be a named entity (') or one of the numeric references to the position of the character in unicode (');

<img src='don&apos;t.svg' alt='don&#39;t'>

Beware: ' was added to HTML relatively late. Old versions of IE do not support it.

---

Alternatively you could change your HTML so you use double quotes to delimit the data:

<img src="don't.svg" alt="don't">

This would introduce a PHP problem because you are using them to delimit the string literal.

In this case you would need to escape the data for PHP, which you do with a backslash character.

$fotoTag1 = "<img src=\"don't.svg\" alt=\"don't\">";

---

Alternatively, you could use some other form of string generation, such as HEREDOC.

$fotoTag1 = <<<END
<img src="don't.svg" alt="don't">
END;

---

As a rule of thumb, it is better to avoid storing HTML in variables in the first place.

When you want to output data, just switch to output mode:

?>
<img src="don't.svg" alt="don't">
<?php

You can always drop back into PHP mode if you need a variable.

$src = "don't.svg";
$alt = "don't";
?>
<img src="<?php echo htmlspecialchars($src); ?>" alt="<?php echo htmlspecialchars($alt); ?>">
<?php

(Note that for the characters involved, htmlspecialchars isn't needed in this example, but it does protect you when dealing with programmatically acquired data that you can't guarantee to be HTML safe).

Answer 4

You had the right idea using htmlspecialchars(), the issue with this specific example is that function does not escape ' by default. You need to add the flag ENT_QUOTES to escape single quotes with htmlspecialchars().

You should also be applying this function just to strings you wish to escape, not the entire html line. This could, and most likely will in most cases, cause unintended side effects of escaping characters you didn't want escaped.

Answer 5

Try this, it's working:

$fotoTag1 = '<img src="'.htmlspecialchars("don't.svg").'" 
alt="'.htmlspecialchars("don't").'">';
echo $fotoTag1;

Answer 6

You should use the html ascii codes, so for your example:

$fotoTag2 = "<img src='don&#39;t.svg' alt='don&#39;t'>";

Since ' is the ascii code for single quote.