str_replace behavior - odd ?

[Trusts]

HI all,

I have a form. There is a text box for the name of race 1.

Within the processing code, I address the passed value like this. I am trying to remove single quotes:

str_replace("'", "",$_POST['Race1_Name'])

The sent value is this: race one's here

And here is what is returned: race one\s here


I do not need a slash to replace a quote. I desire the quote to be removed. The str_replace I have set up I would think just removes the quote, but apparantly not.

Can anyone explain what is happening, and tell me how to just get rid of the quote without gaining the slash?

Thanks,
KB

 

[Borvik]

The POST itself is adding the slash - escaping the quote. When you remove the quote and look at it - all you see left is the slash.

You must have "magic_quotes_gpc" on.

This is useful when sending the data to a database.

Here is a function that can help you fix the incoming data.

function FixIncoming($data = array()){
	foreach($data as $key => $value){
		if(is_array($value))
			$data[$key] = FixIncoming($value);
		else{
			if(ini_get('magic_quotes_gpc') == 1)
				$data[$key] = stripslashes($value);
		}
	}
	return $data;
}

Then just call FixIncoming with the _POST array:

$_POST = FixIncoming($_POST);

Hope that helps.

 

[jpadie]

don't do that! magic_quotes is a really bad idea - all these things should be left to the programmer to control progammatically through the application. edit your php.ini file and turn off magic_quotes_gpc and magic_quotes_runtime.

 

[Borvik]

I'm not saying they should turn it on - I'm saying the must already have it on!

I don't like it when its on either - which is why (if I don't have a choice), I use the function above to fix the incoming data.

 

[jpadie]

i took your endorsement from

This is useful when sending the data to a database.

although, in fact, i suspect you were referring to magic_quotes_runtime().

 

[Borvik]

Gotcha, no I was just referring to AN arguement that is used by advocates of it.