Quotation mark in input box

<?php
if ( isset($_GET['key']) ) {$key=$_GET['key'];} else {$key='';}
$var='<form action="t7.php" method="get">
<input type="text" name="key" value="' .$key. '">
<input type="submit">
</form>';
echo $var;

if a user enters “book” in the input box, and click submit, it shows “book” in the box.
if a user enters “single quotation” in the box, it shows “backward slash + single quotation” in the box.
In order to remove “backward slash”, I modified the code above as the code below by inserting “$key=str_replace(”’", “’”, $key);"

<?php
if ( isset($_GET['key']) ) {$key=$_GET['key'];} else {$key='';}
$key=str_replace("\'", "'", $key);
$var='<form action="t7.php" method="get">
<input type="text" name="key" value="' .$key. '">
<input type="submit">
</form>';
echo $var;

But the modified code above has a problem.

if a user enters “double quotation” it show nothing.

How can I make it show “double quotation”?

Hi @joon1,

It would probably be better if you tell us about the real problem you are trying to solve with this code. What is the high level overview of what you are doing?

* Is this still part of your php5 to php7 conversion?

I am making of searching page on the way of building a site.
after a user enters a keyword, it is, I just think, good to show the keyword in the box.
Most web site including google.com is doing like that.

I am testing it in PHP5.

So I ran your original code and it worked as expected. Not really seeing where you are getting a backslash. In your url you should see something like:

http://127.0.0.1:8000/d7.php?key=jjj%27kkk

Be sure you don’t have any magic quote nonsense going on. You should never have to do the sort of str_replace stuff in your second example.

What you are missing is the escaping of html output characters. If the user enters a character such < which html uses then problems would definitely ensue. You always need to escape your output data:

$key = isset($_GET['key']) ?  $_GET['key'] : '';

// HTML escape your values before sending back to the browser
$key = htmlspecialchars($key, ENT_COMPAT);

$html = <<<EOT
<div>Key Value: {$key}</div>
<form action="index.php" method="get">
<input type="text" name="key" value="{$key}">
<input type="submit">
</form>
EOT;

echo $html;

You can lookup htmlspecialchars in the docs to see what all it does.

And while off-topic, using what is known as the heredoc notation can save you a considerable amount of stress when generating html.

And really off-topic but always use prepared statements for your database stuff otherwise you will run into a host of problems.

Try this @joon1. Much cleaner IMO.

<form method="get">
    <input name="key" value="<?= !empty($_GET['key']) ? htmlspecialchars($_GET['key'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') : '' ?>">
    <button type="submit">Search</button> 
</form>
<?php

$key = isset($_GET['key']) ?  $_GET['key'] : '';

// HTML escape your values before sending back to the browser
$key = htmlspecialchars($key, ENT_COMPAT);

$html = <<<EOT
<div>Key Value: {$key}</div>
<form action="t02.php" method="get">
<input type="text" name="key" value="{$key}">
<input type="submit">
</form>
EOT;

echo '<a href="t02.php">initial</a>';
echo $html;

http://form.kr/test01/t1/t02.php has the code above.

If I enter a single quotation mark in the input, it shows a backslash and single quotation mark at http://form.kr/test01/t1/t02.php?key='

I like to remove the backslash in displaying.in the input box.
I like to display a single quotation mark only instead of a backslash and single quotation mark in the input box.

<a href="t01.php">initial</a>
<form method="get">
    <input name="key" value="<?= !empty($_GET['key']) ? htmlspecialchars($_GET['key'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') : '' ?>">
    <button type="submit">Search</button> 
</form>

I have the code above at http://form.kr/test01/t1/t01.php

If I enter a double quotation mark in the input, it shows a backslash and double quotation mark at http://form.kr/test01/t1/t01.php?key="

I like to remove the backslash in displaying.in the input box.
I like to display a double quotation mark only instead of a backslash and double quotation mark in the input box.

The problem is from magic_quotes which has been completely removed from Php long ago.

When magic_quotes are on, all ’ (single-quote), " (double quote), \ (backslash) and NUL’s are escaped with a backslash automatically.

And why are you still messing around with a php version (5.x) that is hundreds and hundreds of releases behind?

Thank you, I see now why your code doesn’t work in my old server.

<a href="t03.php">initial</a><br>
<form method="get">  
    <input name="key" value="<?= !empty($_GET['key']) ? str_replace('\\', '', htmlspecialchars($_GET['key'], ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') ): '' ?>">
    <button type="submit">Search</button> 
</form>

The code above at http://form.kr/test01/t1/t03.php works fine at the moment.