Escape quotes in a variable with PHP

I use this code to genefate html

echo "<input type='button' onclick=\"myFunc('$param');\" />";

Everything would be OK unless $param contains ' or " character. How should it be implemented to handle these situations?

ps. mysql_real_escape_string($param) won't work co开发者_如何转开发rrectly, when a user entered ".

There are a couple of functions that could be used:

<?php
$string = 'string test"';

echo htmlentities($string) . "\n";
echo addslashes($string) . "\n";

They produce the following:

string test"
string test\"

If you are relying on user input, use htmlentities($param, ENT_QUOTES);

See http://uk.php.net/manual/en/function.htmlentities.php

As Damien said; use addslashes :)

$param=addslashes($param);
echo "<input type='button' onclick=\"myFunc('$param');\" />";

Whenever thinking about escaping, you always need to ask
"In which context do I want to escape?"
Because escaping is essentialy making sure the input is not interpreted in the special meaning of the target, but literaly

Do not use addslashes, since it's contextless

If you are inserting the string into HTML, use

htmlspecialchars($argument, ENT_QUOTES)

as mentioned.

The onclick content part is technicaly JavaScript, so it might be appropriate to escape the content with json_encode (it's side-effect is JavaScript-specific escaping). Similarly should you have style attribute, you'd want to escape the content with

addcslashes($s, "\x00..\x2C./:;<=>?@[\\]^`{|}~")

(source: http://translate.google.com/translate?u=http%3A%2F%2Fphpfashion.com%2Fescapovani-definitivni-prirucka&ie=UTF8&sl=cs&tl=en)

Summary
Use

$param = htmlspecialchars(json_encode($param), ENT_QUOTES)

and then you can safely include it into the HTML string

Pass variable from htmlspecialchars($pram,ENT_QUOTES)

first do

// only for the GUY who didn't read the complete answer :(
$param=addslashes($param); 

then write code in simple HTML

<input type='button' onclick="myFunc(<?php echo $param?>);" />

Note: mysql_real_escape_string works when we handle with mysqltry with addslashes

This works for me...

echo '<a href="#" onclick="showTable(&#039;'.$table.'&#039;)">'.$table.'</a>';

It's not necessary to use backslaches for escaping when using single quote for echo. Single quote have my vote to work with both php and javascript + html tag.