I'm entering news on my website through a form. While adding news or editing it, or get replaced with a br.
Now I still have an issue, when I write for example "I've" it will print out as I\'ve.
First question, is this caused due to mysql_real_escape_string(); ? Second question, how can I replace multiple matches with diffirent tags ?
Right now I have something like this:
$order = array("'", "\'");
$replace = "´";
$order = array("
", "
", "");
$replace = "<br />";
$string = $news;
$insert = str_replace($order, $replace, $string);
I'm almost sure this is not the correct way to do it because they are all assigned to the same variables,.. Could someone point me in the right direction please ?
Edit: Although this works, am I 'allowed' to code it like this ?
Edit: Thank you all for your answers, problem is fixed now ! :)
You can use arrays as input for str_replace():
$order = array("'", "\'","
", "
", "");
$replace = array("´","´","<br />","<br />","<br />");
$string = $news;
$insert = str_replace($order, $replace, $string);
And yes, the escaped \' are likely from your database code. Use stripslashes() to remove them.
You can simple use the function stripslashes.
stripslashes($string);
Have a look into the official documentation
<?php
$str = "Is your name O\'reilly?";
// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>
Yes, this is not the right way to do it.
You should start by ensuring that you are using a consistent character set in your html and in your database. Next, remember the magic rule: Never sanitize input, always sanitize output.
i.e. the only change to the data you put into the database should be mysql_real_escape_string() (or use bound parameters). For output to the browser, use htmlentities() - do NOT attempt to write your own versions of these. DO NOT use stripslahses unless there is no appropriate method of escaping the content corectly.
Also, make sure that addslashes is disabled everywhere in PHP.
Use the function html_entity_decode to decode the html part in special character at the time of inserting the data in database.
And when you are echoing that use the function htmlspecialchars. This is opposite of above function and you will not face any issue.
I'm entering news on my website through a form. While adding news or editing it, or get replaced with a br.
The code you posted will work (the last part at least). However PHP has a function specifically for this purpose - nl2br()
Now I still have an issue, when I write for example "I've" it will print out as I\'ve.
This is due to a deprecated PHP configuration setting called magic quotes, which automatically escapes GET or POST data. If you are already escaping the variables using mysql_real_escape_string, you can probably safely disable magic quotes. You should never have to call stripslashes() on data you've pulled out of the database.