I was working with MySQL and displaying the title to things on the web page. I'd written a script to ensure single and double quotes were removed from the title. I used
$title = str_replace( "'", "", $title );
and
$title = str_replace( '"', "", $title );
But still the single and double quotes continued. So I wrote a bit of code to print out each character separated by a dash. Like so:
for( $i=0; $i<strlen($title); $i++ ){
echo "$i-";
}
echo "<br>\n";
This displayed:
m-y-c-o-m-p-a-n-y- b-b-&-#-3-9-;-s
Which made me go "Oh! I get it."
The MySQL function real_escape_string modifies the single quotes to be ' and double quotes as " These still show up as single and double quotes under HTML and most importantly -
JAVASCRIPT sees the " and ' as actual single or double
quotes. So if you are passing arguments to a function you have
to get rid of them or else you will get an error on trying to call
a given function. Example:
<a href="javascript:func1('mycompany bbs's")'">
becomes
<a href="javascript:func1('mycompany bbs's');">
Which then will give you an error because there is a single quote inside of the single quoted string. HOWEVER, the
$title = str_replace( "'", "", $title );
WILL NOT FIND a single quote. Instead, you have to do this:
$title = str_replace( "'", "'", $title );
and
$title = str_relace( """, '"', $title );
(Or you could just get rid of them.)
So remember! If you are trying to remove single and double quotes and are using MySQL and MySQL's real_escape_string() function that you might be having single and double quotes hanging around which are defined as ' and " but which show up as single and double quotes as well as causing problems in your Javascripts.
