I have this:
<input name="title" type="text" class="inputMedium" value="' . $inputData['title'] . '" />
I want to strip quotes from user input so that if someone enters something like: "This is my title" it wont mess up my code.
I tried this and it's not working: $inputData['title'] = str_replace('"', '', $_POST['title']);
User input should be run through htmlspecialchars() to be used in this sort of case.
I highly recommend you to use htmlentities($string, ENT_QUOTES) before displaying anything user generated anywhere...
If I understand the question correctly, you want to remove " from $inputData['title'] so your HTML code is not messed up ?
If so, the "right" solution is not to remove double-quotes, but to escape them before doing the actual output.
Considering you are generating HTML, you should use the htmlspecialchars function ; this way, double-quotes (and a couple of other characters) will be encoded to HTML entities, and will not cause any trouble when injected into your HTML markup.
For instance :
echo '<input name="title" type="text" class="inputMedium" value="'
. htmlspecialchars($inputData['title'])
. '" />';
Note : depending on your situation (especially, about the encoding/charset you might be using), you might to pass some additionnal parameters to htmlspecialchars.
Generally speaking, you should always escape the data you are sending as an output, not matter what kind of output format you have.
For instance :
htmlspecialcharsmysql_real_escape_string, or an equivalent, depending on the type of database you're working with