Escaping single quotes in a URL link

Question

I have a link that is sent throw some PHP code:

echo "<a href='" . $galerry . "#" . apastro(get_title($primid)) . "'     class='linkorange'>voir sa galerie</a>";

$galerry links to another page.

get_title($primid) is the id of a specific element in $galerry page.

And the mechanism works fine until one of the elements id has a single quote in it. Which makes sense as it would interrupt the echo function.

This is why I have the apastro function:

function apastro($phrase){
    $phrase1 = str_replace("'", "\'", $phrase);
    return $phrase1;
}

Yet, the \ before the single quote isn't helping...

So let's say the link redirects to the element with id="l'aro" on the page something.php. Then the URL will be something.php#l\.

Answer 1

If you're looking to escape single quotes only, use double backslashes, as follows

$str = str_replace("'", "\\'", $str);

Answer 2

it would interrupt the echo function

It wouldn't. It would break a string literal delimited by ' characters, but your string literal is delimited with " characters. In this case, it is breaking the HTML attribute value which is delimited by ' characters.

\ is not an escape character for URLs or HTML.

Use urlencode to make a string safe to put into a URL.

Use htmlspecialchars to make a string safe to put into an HTML attribute.

$title = get_title($primid);
$urlsafe_title = urlencode($title);
$url = $galerry . "#" . $urlsafe_title;
$htmlsafe_url = htmlspecialchars($url, ENT_QUOTES | ENT_HTML5);

echo "<a href='$htmlsafe_url' class='linkorange'>voir sa galerie</a>";