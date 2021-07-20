Problem with syntax in PHP str_replace

Hi I am trying out some code from the internet for a secure login, one of the functions seems to contain a syntax error in a line that reads -

$url = str_replace("'", ''', $url);

The whole function is -

function esc_url($url) {
 
    if ('' == $url) {
        return $url;
    }
 
    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
 
    $strip = array('%0d', '%0a', '%0D', '%0A');
    $url = (string) $url;
 
    $count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }
 
    $url = str_replace(';//', '://', $url);
 
    $url = htmlentities($url);
 
    $url = str_replace('&amp;', '&', $url);
	
    $url = str_replace("'", ''', $url);
 
    if ($url[0] !== '/') {
        // We're only interested in relative links from $_SERVER['PHP_SELF']
        return '';
    } else {
        return $url;
    }
}

I have to admit I don’t yet understand the full code, but there is definitely a syntax error in the line mentioned. If I can sort that out I can continue with my understanding and learning - thanks guys

What are you trying to do there? You can’t wrap a single quote in a pair of single quotes.

To be honest, I am not completely sure either :grin: As I said It is a secure login script I found on the net. The desription of the function they give is -

This next function sanitizes the output from the PHP_SELF server variable. It is a modification of a function of the same name used by the WordPress Content Management System.

I can comment out the line and the whole script works OK. But I am not sure if that will create another problem. It seems they are trying to replace single quotes in the url with something but I am not sure with what or why. I was hoping someone had some advice or comments.

Perhaps they are trying to replace single-quotes with double-quotes, and the line should read

$url = str_replace("'", '"', $url);

but if it’s a URL, would either character be valid there?

