Support » Fixing WordPress » How to escape PHP variables passed in the URL?

  • I have a form in HTML that passes the variables that are entered to another page via the “get” method. For example, in the “business-name” field, someone enters the name of their business and is sent to a page with ?business-name=My Business at the end of the URL. Then I use shortcodes to grab the variables in the URL and change the content dynamically, so that a heading like “Customers” becomes “Customers of My Business”. Here is the code for the shortcode:

    if (array_key_exists('business-name', $_GET))
      return ' of ' . $_GET['business-name'];

    My problem is that if the user enters a special character in the form field, such as “Jane’s Business”, the code on the next page tries to escape it but it ends up showing up in the text. The header becomes “Customers of Jane\’s Business”. I’ve tried replacing the URL string with %27 instead, but the browser still resolves it to a ‘. I’ve tried escaping it with the different esc_ attributes, but the only one that does anything is esc_url, for example:

    return ' of ' . esc_url( $_GET['dealer-name'] );

    And while that one removes the \ from the resulting HTML copy, it adds http:// to the beginning, so that the header becomes “Customers of http://Jane's Business”.

    I can’t figure out what to do here, or what the proper escaping syntax is for this. Any help is appreciated.

  • The topic ‘How to escape PHP variables passed in the URL?’ is closed to new replies.