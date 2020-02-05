So I ran your original code and it worked as expected. Not really seeing where you are getting a backslash. In your url you should see something like:

http://127.0.0.1:8000/d7.php?key=jjj%27kkk

Be sure you don’t have any magic quote nonsense going on. You should never have to do the sort of str_replace stuff in your second example.

What you are missing is the escaping of html output characters. If the user enters a character such < which html uses then problems would definitely ensue. You always need to escape your output data:

$key = isset($_GET['key']) ? $_GET['key'] : ''; // HTML escape your values before sending back to the browser $key = htmlspecialchars($key, ENT_COMPAT); $html = <<<EOT <div>Key Value: {$key}</div> <form action="index.php" method="get"> <input type="text" name="key" value="{$key}"> <input type="submit"> </form> EOT; echo $html;

You can lookup htmlspecialchars in the docs to see what all it does.

And while off-topic, using what is known as the heredoc notation can save you a considerable amount of stress when generating html.

And really off-topic but always use prepared statements for your database stuff otherwise you will run into a host of problems.