I have to create a login in form which a user will insert a username and a password. I have to ensure that html entities are not processed, and I can not allow single quotes or double quotes to be processed either. I must echo the data entered into the form and display it.
I must use htmlentities and str_replace. I have the htmlentities correct, but am unsure on how to utilize the str_replace function to replace the single and double quotes that the user might enter into the form. Any help would be awesome.
Here is my current PHP (which works)
<?php
$username = htmlspecialchars($_POST['username']);
$password = htmlspecialchars($_POST['password']);
$comment = htmlspecialchars($_POST['comment']);
?>
<html>
<body>
Your username is: <?php echo $username; ?><br />
Your password: <?php echo $password; ?><br />
Your Comment was: <?php echo $comment; ?>
First of all, it is always better to check for the unwanted characters and get back to the user, than silently stripping them. Say, a user added a quote to their password, you removed it, and so they won’t be able to login at all! So it’s better to check and tell the user instead:
But in this specific case I would advise against replacing any characters. Imagine
Shaquille "Shaq" O'Nealis going to register on your site. What’s the point in stripping him of all those quotes? Let alone the password, where use of punctuation is strongly encouraged.After all, those quotes don’t do any harm, if you properly handle them.
for HTML, simply use
htmlspecialchars()withENT_QUOTESattribute:for SQL, use prepared statements to avoid any problems with quotes
But just for sake of literal answer, here is how to remove quotes (or any other characters and even multi-character substrings) in PHP