Php, Why Do You Escape My Quotes

PHP, why do you escape my quotes?

Turn magic_quotes off in PHP.ini.

what is the point of escaping quotation marks in php

Escaping the quotation marks inside a string prevents them from ending the string. For example:

$str = "Hi this is a "broken" string";

Essentially the PHP parser sees multiple statments: "Hi this is a", broken, and "string ". It becomes an invalid line of code.

When the parser encounters the first quotation mark, it knows it's found a string, and it knows that the next quotation mark tells it where the string ends. If you want to have quotation marks inside your string, you need to tell the parser that they aren't the end of the string by escaping them with backslashes in front.

If you start your string with single quotes, ', then you only need to escape single quotes inside your string. Same with double quotes. These two lines are both valid code:

$str = "This string is 'not' broken";
$str = 'This string is also "not" broken';

You just have to watch for whichever one you used to open and close the string.

How do I escape only single quotes?

Quite simply: echo str_replace('\'', '\\\'', $myString);
However, I'd suggest use of JSON and json_encode() function as it will be more reliable (quotes new lines for instance):

<?php $data = array('myString' => '...'); ?>

<script>
   var phpData = <?php echo json_encode($data) ?>;
   alert(phpData.myString);
</script>

Escaping quotation marks in PHP

Use a backslash as such

"From time to \"time\"";

Backslashes are used in PHP to escape special characters within quotes. As PHP does not distinguish between strings and characters, you could also use this

'From time to "time"';

The difference between single and double quotes is that double quotes allows for string interpolation, meaning that you can reference variables inline in the string and their values will be evaluated in the string like such

$name = 'Chris';
$greeting = "Hello my name is $name"; //equals "Hello my name is Chris"

As per your last edit of your question I think the easiest thing you may be able to do that this point is to use a 'heredoc.' They aren't commonly used and honestly I wouldn't normally recommend it but if you want a fast way to get this wall of text in to a single string. The syntax can be found here: http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc and here is an example:

$someVar = "hello";
$someOtherVar = "goodbye";
$heredoc = <<<term
This is a long line of text that include variables such as $someVar
and additionally some other variable $someOtherVar. It also supports having
'single quotes' and "double quotes" without terminating the string itself.
heredocs have additional functionality that most likely falls outside
the scope of what you aim to accomplish.
term;

Escaping double quotes in php

I tried to use your exact code in a php page I have and it acts as you need it to. Seems to be working just fine for me.

How to escape PHP inside the double quotes of html?

As @quentin mentioned, you're trying to echo a php tag, which you cannot. To use a variable inside a string, without messing with quotes, I normally use heredoc, i.e.:

<?php
$value = 100;
echo <<< EOF
<textarea name="" class="widefat" style="width:100%; height: 100px;" value="{$value}"></textarea>
EOF;

How to escape quotes immediately following each other?

I think you're on the right track, but you're missing two key elements. The first is that you have to include the quote in the negated character class along with the backslash: [^"\\]*. When that part runs out of things to match, the next character (if there is one) must be a quote or a backslash.

If it's a backslash, \\. consumes it and the next character, whatever it is. It might be a quote, a backslash, or anything else; you don't care because you know it's been escaped. Then you go back to gobbling up non-special characters with [^"\\]*.

The other missing element is \G. It anchors the first match to the beginning of the string, just like \A. Each match after that has to start where the previous match ended. This way, when the final " in the regex comes into play, you know that every character before it has been examined, and you are indeed matching an unescaped quote.

$str = '"Hello "" """ world!\"';
$str = preg_replace('/\G([^"\\\\]*(?:\\\\.[^"\\\\]*)*)"/', '$1\"', $str);

Using single quotes (escaping) in PHP

    $strLocation = 'http://www.google.com';
    $strLink = "<span onclick='window.location.href='".$strLocation."''>HI there</span>";

(or)

$strLink = '<span onclick="window.location.href=\''.$strLocation.'\'">HI there</span>';

    print $strLink;

Using ' is an HTML special character which remains undetected during string operations and will appear only in the browser.

Using \ simply escapes the string.

Escaping quotes in PHP

You ought to escape special characters (not only quotes) on every string value (it's useless to escape values you're not going to enclose in quotes in a query. Those values require another treatment).

To avoid boring repetitive typing you can apply an escaping function to array items in a loop.

In case you're using MySQL and for INSERT/UPDATE queries, you can use this helper function:

function dbSet($fields) {
  $set = '';
  foreach ($fields as $field) {
    if (isset($_POST[$field])) {
      $set .= "`$field`='" . mysql_real_escape_string($_POST[$field]) . "', ";
    }
  }
  return substr($set, 0, -2); 
}

It is used like this:

$id     = intval($_POST['id']);
$table  = 'users';
$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "UPDATE `$table` SET ".dbSet($fields).", `date`=NOW() WHERE id=$id";

Also don't forget to set proper encoding using mysql_set_charset() as it's required for the mysql_real_escape_string() function.

---

Related Topics