serialize double quotes

Posted on 2006-03-26
Medium Priority
Last Modified: 2012-08-13
I have a content management interface.

Pretty much a bunch of text areas that you enter content into.
On another page, I have all the info displayed.

I put the form results into a serialized array.

I am having trouble with double quotes.

How do you preserve the quotes and also display the correct data in the text areas.

<a href="http://www.cnn.com">Link to CNN</a>

when I try to display this in the text area, the quotes ruin everything.
Question by:jackjohnson44
  • 4
  • 2
LVL 28

Expert Comment

ID: 16295164
When you say "displayed on another page" do you mean echoed?

If so you have to escape the quotation mark using bacslash \

<a href=\"http://www.cnn.com\">Link to CNN</a>

LVL 15

Expert Comment

ID: 16295712
If you're loading this data into a form, you can use htmlspecialchars($data) to stop the quotes from breaking the form inputs.  Example:

echo htmlspecialchars($data);

Hope that helps!

Expert Comment

ID: 16296753
Only using htmlspecialchars will put in a backslash (\) before the double quotes.  Therefore, use stripslashes(htmlspecialchars($data));

Example (using a textarea):

print "<textarea name="somename"> " . stripslashes(htmlspecialchars($data))  . "</textarea>";

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 15

Assisted Solution

Tomeeboy earned 1000 total points
ID: 16297126
htmlspecialchars() does NOT put a backslash in front of quotes... that's what addslashes() does (or magic quotes, if enabled).  The htmlspecialchars() function changes single quotes to '&#039;' and double quotes to '&quot;'.


Accepted Solution

OneNineEightNine earned 1000 total points
ID: 16302246
It actually does add slashes.  Read the comment by juadielon_NOSPAM at hotmail dot com:

I was trying to retrieve information from a database to display it into the browser. However it did not work as I was expecting.  For instance double quotes (") and single quotes (') were conflicting in HTML in an INPUT selector.

The first approach to solve this was to use htmlspecialchars to convert special characters to HTML entities to display the input box with its value.

$encode=htmlspecialchars($str, ENT_QUOTES);

However, the result was having HTML entities with a \ (backslash) preceding it (escape characters).  For instance ampersand (&) becomes \&amp; displaying \& and double quotes becomes \&quot; displaying \"

So the final solution was to replace first any \ (backslash) and then ask htmlspecialchars to make the conversion.

[Editor's Note: This is the wrong way to do this. The proper way is to use

$encoded = htmlspecialchars(stripslashes($str), ENT_QUOTES);

blah blah blah...
LVL 15

Expert Comment

ID: 16325936
Sorry, but a comment from one person back in *2002* does not make that a factual claim.  I can't find that issue documented anywhere else.  In all the times I've used htmlspecialchars() I've never had it add backslashes to my strings.  Backslashes get added if you have magic_quotes_gpc enabled and pass any request data between pages (usually with a form).  This happens because PHP is expecting that posted data to get entered into a database, and therefore it escapes the values so you don't have to manually do it with addslashes().  If you try to display that data, rather than post it to a database, then you need to use stripslashes().

Of course, the easiest way to tell who's right and who's wrong here is to actually test the code for youself:


$string = "Test of \"htmlspecialchars\" & 'quotes'";
echo "<input type=\"text\" value=\"" . htmlspecialchars($string, ENT_QUOTES) . "\">";


This outputs:

Test of "htmlspecialchars" & 'quotes'

in a text input, with the html source looking like this:

<input type="text" value="Test of &quot;htmlspecialchars&quot; &amp; &#039;quotes&#039;">

According to the above comments, this should be full of backslashes, since I didn't strip them.
LVL 15

Expert Comment

ID: 16326022
A clarification on magic_quotes_gpc ... it's not specifically expecting the data to be inserted into a database, but that is the case in most instances.  Also, it effects any POST, GET or COOKIE values when enabled.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses
Course of the Month14 days, 4 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question