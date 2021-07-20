Problem with syntax in PHP str_replace

PHP
#1

Hi I am trying out some code from the internet for a secure login, one of the functions seems to contain a syntax error in a line that reads -

$url = str_replace("'", ''', $url);

The whole function is -

function esc_url($url) {
 
    if ('' == $url) {
        return $url;
    }
 
    $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url);
 
    $strip = array('%0d', '%0a', '%0D', '%0A');
    $url = (string) $url;
 
    $count = 1;
    while ($count) {
        $url = str_replace($strip, '', $url, $count);
    }
 
    $url = str_replace(';//', '://', $url);
 
    $url = htmlentities($url);
 
    $url = str_replace('&amp;', '&', $url);
	
    $url = str_replace("'", ''', $url);
 
    if ($url[0] !== '/') {
        // We're only interested in relative links from $_SERVER['PHP_SELF']
        return '';
    } else {
        return $url;
    }
}

I have to admit I don’t yet understand the full code, but there is definitely a syntax error in the line mentioned. If I can sort that out I can continue with my understanding and learning - thanks guys

#2

What are you trying to do there? You can’t wrap a single quote in a pair of single quotes.

#3

To be honest, I am not completely sure either :grin: As I said It is a secure login script I found on the net. The desription of the function they give is -

This next function sanitizes the output from the PHP_SELF server variable. It is a modification of a function of the same name used by the WordPress Content Management System.

I can comment out the line and the whole script works OK. But I am not sure if that will create another problem. It seems they are trying to replace single quotes in the url with something but I am not sure with what or why. I was hoping someone had some advice or comments.

#4

Perhaps they are trying to replace single-quotes with double-quotes, and the line should read

$url = str_replace("'", '"', $url);

but if it’s a URL, would either character be valid there?

1 Like
#5

The fact that the code uses $_SERVER[‘PHP_SELF’] tells me that the “tutorial” is either old or poorly written. Best to show us the link to it.

trying out some code from the internet

More often than not you will run across old, insecure, or poorly written code just grabbing something at random from the internet. Be careful and understand the code before you implement it, especially for a “Secure"Login” code.