Removing single-quote from a string in php
You could also be more restrictive in removing disallowed characters. The following regex would remove all characters that are not letters, digits or underscores:
$FileName = preg_replace('/[^\w]/', '', $UserInput);
You might want to do this to ensure maximum compatibility for filenames across different operating systems.
Using your current str_replace method:
$FileName = str_replace("'", "", $UserInput);
While it's hard to see, the first argument is a double quote followed by a single quote followed by a double quote. The second argument is two double quotes with nothing in between.
With str_replace, you could even have an array of strings you want to remove entirely:
$remove[] = "'";
$remove[] = '"';
$remove[] = "-"; // just as another example
$FileName = str_replace( $remove, "", $UserInput );
You can substitute in HTML entitiy:
$FileName = preg_replace("/'/", "\'", $UserInput);
$replace_str = array('"', "'", ",");
$FileName = str_replace($replace_str, "", $UserInput);