Sanitizing Apostrophes with PHP

StackOverflow https://stackoverflow.com/questions/15391352

Question

I am having trouble with apostrophes causing errors in a grading system I have setup. When a customer submits a paper that contains apostrophes, I am replacing all apostrophes with PHP like so:

//Now remove Apostrophes
$essay = str_replace("'","", $essay) ;

The problem is though this does not work for all types of different apostrophes. An example:

This apostrophe is different than this apostrophe '. I am guessing the solution is to update the $essay variable to a standard apostrophe type and then use str_replace to remove all apostrophes.

Any help in this matter would be greatly appreciated!

Was it helpful?

Solution 2

While I don't agree with your perilous vendetta against proper typography, I can tell you that you will need a str_replace() for each of the different kinds of apostrophe-esque characters that there are. Just do a bunch of str_replace() s with each kind of apostrophes you want removed.

I still think you are trying to solve a problem by avoiding it rather than solving it. Apostrophes are perfectly ok to put into a mysql database, it might just need to have a different character set or collation.

OTHER TIPS

Don't worry about trying to sanatize data (i.e - at the moment you're trying to remove apostrophes...) for database insertion yourself. This is a solved problem.

The best solution is to use the PDO database connector to insert data with prepared queries.

There is no need to do validation / sanatizing for insertion at all - your database will store all the data correctly when you let it.

If you are still using mysql_* functions, please don't. They are very old, and soon to be deprecated, and allow for many, many programming mistakes and exploits in an application when not used with extreme care.

Here is a decent tutorial on how to use PDO. Remember, if you use it correctly with prepared statements, you won't need to worry about sanatizing! You won't need to worry about apostrophes of any kind! The PDO connector will do it for you!

What are you sanitizing it for?

Submission into a database? real_escape_string()

Returning it to the URL for a get request? htmlspecialchars()

The specific reason why you're sanitizing it helps us to figure out the best way to do it!

Try filter_var if you're trying to prevent XSS attacks. 

$essay=filter_var($essay, FILTER_SANITIZE_STRING);

If you're trying to protect against sql injection, look up parameterized queries.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top