Quotes stop browser from reading data

Here’s the thing: I’m using the old stripslashes trick on the data being sent to the DB because magic quotes are on. Works fine (ex. This in not in quotes, but “this is”), the database receives and returns exactly that.

The problem is seen in two places, and that is when I try to add that string to the URL with $_GET and when I add that string to pre-populate a text input field.


$var = 'This has no quotes, but "this does"';
echo '<a href="nextpage.php?var=' . $var . '>link</a>';

nextpage.php?var=This has no quotes, but

The rest of the string is missing…

I have the same issue when grabbing data from the DB and inserting the returned data as the value of a text input field.


$var = 'This has no quotes, but "this does"';
echo '<input type="text" value="' . $var . '" />

<input type=“text” value="This has no quotes, but " />

Any ideas???

The first set of double quotes in $var closes the ones that open the value attribute in your HTML. Then the rest of $var becomes junk that invalidates your HTML and breaks the page.
Run $var through [fphp]htmlspecialchars[/fphp] or [fphp]htmlentities[/fphp] to make it safe to output this way.

Also, if any of the content is user submitted (such as a username, or comment) and you don’t escape it properly your site will be vulnerable to XSS attacks.

Any ideas???

Pay more attention to what are you doing.
Try your second code and then check resulting HTML source. It is not like one you posted below. Then count double quotes.
And then use htmlspecialchars() function to encode HTML special characters in your text.

For the first one urlencode() should be used instead, because it is URL where you’re going to pass your text

Thank you, cranial-bore, for the security suggestion. All data is begin escaped properly. You were right, the html was broken, too many double quotes.

Thank you schrapnal N5 for your suggestions, both issues are now resolved. You were correct about the source code for the text input value. htmlspecialchars() solved this problem. And once I added urlencode() to the link tag, it worked great.