#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    7
    Rep Power
    0

    Issue with using single quotes in strings to be used in href


    I'm having another issue. My site will allow people to create 'shops' wherein they can post their items for sale. These shops are able to be named and in some cases will contain the ' symbol. (Lucy's Clocks for example).

    But when used like this:
    PHP Code:
    echo "<a href='somepage.php?view=$userShop'>$userShop</a>" 
    Will redirect to the page Lucy because she has a ' in her title that ends the href quote.

    As a temporary fix, I've changed to:
    PHP Code:
    echo "<a href=somepage.php?view=$userShop>$userShop</a>" 
    But this method is deprecated and not in compliance with the strict XHTML i am currently working with.

    I believe another fix would be to end the php, display it as normal html, but it would be quite messy.

    Does anyone know of any better fixes to the problem?

    Note:
    The strings go through a sanitize process before being compared:
    PHP Code:
    function sanitizeString($var)
        {
            
    $var strip_tags($var);
            
    $var htmlentities($var);
            
    $var stripslashes($var);
            return 
    mysql_real_escape_string($var);
        } 
    Any answers would be greatly appreciated.

    Thanks!
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,110
    Rep Power
    9398
    Your universal sanitizer is bad. It does way more than it ever should for a single use, and doesn't even do some things you'll need.

    Here's how you sanitize stuff, in chronological order:
    1. When stuff comes from the URL or a form and magic_quotes is enabled then, and only then, stripslashes() it. Do that as early as possible.
    2. If you specifically want to remove - remove - anything that looks like an HTML tag then use strip_tags(). Do that as early as possible.
    3. When you put a string directly into a SQL query and you aren't sure what characters it could contain, use mysql_real_escape_string(). Do that right when you put it into the query.
    4. If you're putting something into a link (like an <A>) and you aren't sure what characters it could contain, use urlencode(). Do that right when you put it into the URL.
    5. When you put a string directly into HTML and you aren't sure what characters it could contain, use htmlspecialchars() or htmlentities(). Do that right when you put it into the HTML. Mind your ENT_QUOTEs.

    So
    PHP Code:
    echo "<a href='somepage.php?view="htmlentities(urlencode($userShop), ENT_QUOTES), "'>"htmlentities($userShop), "</a>"

IMN logo majestic logo threadwatch logo seochat tools logo