November 10th, 2012, 08:17 PM
Issue with using single quotes in strings to be used in href
I'm having another issue. My site will allow people to create 'shops' wherein they can post their items for sale. These shops are able to be named and in some cases will contain the ' symbol. (Lucy's Clocks for example).
But when used like this:
Will redirect to the page Lucy because she has a ' in her title that ends the href quote.
echo "<a href='somepage.php?view=$userShop'>$userShop</a>"
As a temporary fix, I've changed to:
But this method is deprecated and not in compliance with the strict XHTML i am currently working with.
echo "<a href=somepage.php?view=$userShop>$userShop</a>"
I believe another fix would be to end the php, display it as normal html, but it would be quite messy.
Does anyone know of any better fixes to the problem?
The strings go through a sanitize process before being compared:
Any answers would be greatly appreciated.
$var = strip_tags($var);
$var = htmlentities($var);
$var = stripslashes($var);
November 10th, 2012, 09:23 PM
Your universal sanitizer is bad. It does way more than it ever should for a single use, and doesn't even do some things you'll need.
Here's how you sanitize stuff, in chronological order:
1. When stuff comes from the URL or a form and magic_quotes is enabled then, and only then, stripslashes() it. Do that as early as possible.
2. If you specifically want to remove - remove - anything that looks like an HTML tag then use strip_tags(). Do that as early as possible.
3. When you put a string directly into a SQL query and you aren't sure what characters it could contain, use mysql_real_escape_string(). Do that right when you put it into the query.
4. If you're putting something into a link (like an <A>) and you aren't sure what characters it could contain, use urlencode(). Do that right when you put it into the URL.
5. When you put a string directly into HTML and you aren't sure what characters it could contain, use htmlspecialchars() or htmlentities(). Do that right when you put it into the HTML. Mind your ENT_QUOTEs.
echo "<a href='somepage.php?view=", htmlentities(urlencode($userShop), ENT_QUOTES), "'>", htmlentities($userShop), "</a>";