I am writing some JavaScript code that uses a string rendered with PHP. How can I escape single quotes [and only single quotes] in my PHP string?
$['#myElement'].html['say hello to '];
asked Jun 7, 2011 at 17:26
4
Quite simply: echo str_replace['\'', '\\\'', $myString]; However, I'd suggest use of JSON and
json_encode[] function as it will be more reliable [quotes new lines for instance]:
var phpData = ;
alert[phpData.myString];
Justin
25.1k16 gold badges108 silver badges126 bronze badges
answered Jun 7, 2011 at 17:30
CrozinCrozin
43.2k13 gold badges87 silver badges135 bronze badges
6
If you want to escape characters with a \, you have addcslashes[]. For example, if you want to escape only single quotes like the
question, you can do:
echo addcslashes[$value, "'"];
And if you want to escape ', ", \, and nul [the byte null], you can use addslashes[]:
echo addslashes[$value];
answered Feb 3, 2017 at 10:31
PhoneixSPhoneixS
10k5 gold badges54 silver badges70 bronze badges
1
str_replace["'", "\'", $mystringWithSingleQuotes];
answered Jun 7, 2011 at 17:29
JulianJulian
8,4788 gold badges53 silver badges89 bronze badges
In some cases, I just convert it into ENTITIES:
// i.e., $x= ABC\DEFGH'IJKL
$x = str_ireplace["'", "'", $x];
$x = str_ireplace["\\", "\", $x];
$x = str_ireplace['"', """, $x];
On the HTML page, the visual output is the same:
ABC\DEFGH'IJKL
However, it is sanitized in source.
answered Apr 2, 2015 at 20:36
T.ToduaT.Todua
50k19 gold badges216 silver badges213 bronze badges
Use the native function htmlspecialchars. It will escape from all special character. If you want to escape from a quote specifically, use with ENT_COMPAT or ENT_QUOTES. Here is the example:
$str = "Jane & 'Tarzan'";
echo htmlspecialchars[$str, ENT_COMPAT]; // Will only convert double quotes
echo "
";
echo htmlspecialchars[$str, ENT_QUOTES]; // Converts double and single quotes
echo "
";
echo htmlspecialchars[$str, ENT_NOQUOTES]; // Does not convert any quotes
The output would be like this:
Jane & 'Tarzan'
Jane & 'Tarzan'
Jane & 'Tarzan'
Read more in PHP htmlspecialchars[] Function
answered Apr 6, 2018 at 6:43
Nishad UpNishad Up
3,1971 gold badge26 silver badges30 bronze badges
To replace only single quotes, use this simple statement:
$string = str_replace["'", "\\'", $string];
answered Jun 7, 2011 at 17:29
0
You can use the addcslashes function to get this done like so:
echo addcslashes[$text, "'\\"];
answered Jan 21, 2018 at 23:03
JuniorJunior
11k26 gold badges93 silver badges199 bronze badges
After a long time fighting with this problem, I think I have found a better solution.
The combination of two functions makes it possible to escape a string to use as HTML.
One, to escape double quote if you use the string inside a JavaScript function call; and a second one to escape the single quote, avoiding those simple quotes that go around the argument.
Solution:
mysql_real_escape_string[htmlspecialchars[$string]]
Solve:
- a PHP line created to call a JavaScript function like
echo ' title="javascript_function[\'' . mysql_real_escape_string[htmlspecialchars[$string]]"
answered May 9, 2014 at 10:19
I wrote the following function. It replaces the following:
Single quote ['] with a slash and a single quote [\'].
Backslash [\] with two backslashes [\\]
function escapePhpString[$target] {
$replacements = array[
"'" => '\\\'',
"\\" => '\\\\'
];
return strtr[$target, $replacements];
}
You can modify it to add or remove character replacements in the $replacements array. For example, to replace \r\n, it becomes "\r\n" => "\r\n" and "\n" => "\n".
/**
* With new line replacements too
*/
function escapePhpString[$target] {
$replacements = array[
"'" => '\\\'',
"\\" => '\\\\',
"\r\n" => "\\r\\n",
"\n" => "\\n"
];
return strtr[$target, $replacements];
}
The neat feature about strtr is that it will prefer long replacements.
Example, "Cool\r\nFeature" will escape \r\n rather than escaping \n along.
answered Nov 19, 2015 at 15:15
Basil MusaBasil Musa
7,6036 gold badges59 silver badges61 bronze badges
0
Here is how I did it. Silly, but simple.
$singlequote = "'";
$picturefile = getProductPicture[$id];
echo showPicture['.$singlequote.$picturefile.$singlequote.'];
I was working on outputting HTML that called JavaScript code to show a picture...
answered May 15, 2013 at 2:20
I am not sure what exactly you are doing with your data, but you could always try:
$string = str_replace["'", "%27", $string];
I use this whenever strings are sent to a database for storage.
%27 is the encoding for the ' character, and it also helps to prevent disruption of GET requests if a single ' character is contained in a string sent to your server. I would replace ' with %27 in both JavaScript and PHP just in case someone tries to manually send
some data to your PHP function.
To make it prettier to your end user, just run an inverse replace function for all data you get back from your server and replace all %27 substrings with '.
Happy injection avoiding!
answered Feb 12, 2013 at 14:48