serialize double quotes

Posted on 2006-03-26
Last Modified: 2012-08-13
I have a content management interface.

Pretty much a bunch of text areas that you enter content into.
On another page, I have all the info displayed.

I put the form results into a serialized array.

I am having trouble with double quotes.

How do you preserve the quotes and also display the correct data in the text areas.

<a href="">Link to CNN</a>

when I try to display this in the text area, the quotes ruin everything.
Question by:jackjohnson44
    LVL 28

    Expert Comment

    When you say "displayed on another page" do you mean echoed?

    If so you have to escape the quotation mark using bacslash \

    <a href=\"\">Link to CNN</a>

    LVL 15

    Expert Comment

    If you're loading this data into a form, you can use htmlspecialchars($data) to stop the quotes from breaking the form inputs.  Example:

    echo htmlspecialchars($data);

    Hope that helps!
    LVL 1

    Expert Comment

    Only using htmlspecialchars will put in a backslash (\) before the double quotes.  Therefore, use stripslashes(htmlspecialchars($data));

    Example (using a textarea):

    print "<textarea name="somename"> " . stripslashes(htmlspecialchars($data))  . "</textarea>";
    LVL 15

    Assisted Solution

    htmlspecialchars() does NOT put a backslash in front of quotes... that's what addslashes() does (or magic quotes, if enabled).  The htmlspecialchars() function changes single quotes to '&#039;' and double quotes to '&quot;'.
    LVL 1

    Accepted Solution

    It actually does add slashes.  Read the comment by juadielon_NOSPAM at hotmail dot com:

    I was trying to retrieve information from a database to display it into the browser. However it did not work as I was expecting.  For instance double quotes (") and single quotes (') were conflicting in HTML in an INPUT selector.

    The first approach to solve this was to use htmlspecialchars to convert special characters to HTML entities to display the input box with its value.

    $encode=htmlspecialchars($str, ENT_QUOTES);

    However, the result was having HTML entities with a \ (backslash) preceding it (escape characters).  For instance ampersand (&) becomes \&amp; displaying \& and double quotes becomes \&quot; displaying \"

    So the final solution was to replace first any \ (backslash) and then ask htmlspecialchars to make the conversion.

    [Editor's Note: This is the wrong way to do this. The proper way is to use

    $encoded = htmlspecialchars(stripslashes($str), ENT_QUOTES);

    blah blah blah...
    LVL 15

    Expert Comment

    Sorry, but a comment from one person back in *2002* does not make that a factual claim.  I can't find that issue documented anywhere else.  In all the times I've used htmlspecialchars() I've never had it add backslashes to my strings.  Backslashes get added if you have magic_quotes_gpc enabled and pass any request data between pages (usually with a form).  This happens because PHP is expecting that posted data to get entered into a database, and therefore it escapes the values so you don't have to manually do it with addslashes().  If you try to display that data, rather than post it to a database, then you need to use stripslashes().

    Of course, the easiest way to tell who's right and who's wrong here is to actually test the code for youself:


    $string = "Test of \"htmlspecialchars\" & 'quotes'";
    echo "<input type=\"text\" value=\"" . htmlspecialchars($string, ENT_QUOTES) . "\">";


    This outputs:

    Test of "htmlspecialchars" & 'quotes'

    in a text input, with the html source looking like this:

    <input type="text" value="Test of &quot;htmlspecialchars&quot; &amp; &#039;quotes&#039;">

    According to the above comments, this should be full of backslashes, since I didn't strip them.
    LVL 15

    Expert Comment

    A clarification on magic_quotes_gpc ... it's not specifically expecting the data to be inserted into a database, but that is the case in most instances.  Also, it effects any POST, GET or COOKIE values when enabled.

    Featured Post

    Easy Project Management (No User Manual Required)

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    A colleague recently asked me about how to give his client a small part of the web site that could be completely under the client's control.  Since I have done this sort of thing before to add emergency banners to a web site, I decided I would creat…
    Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
    Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now