I'm trying to populate an HTML text box with a php variable. The variable is a string with a single quotation mark in it and is retrieved from a database.
When I echo the variable it looks as it's supposed to - ie. "here's my string" so, it's correctly displaying the ' single quotation mark.
But when I try to put that variable into a text box field ie.
<? echo("<input type='text' name = 'title' value='$title'/>");?>
The quotation mark is ignored..
Any help is greatly appreciated as I've tried running the variable through a number of HTML formatting functions but to no avail.
You should change it to this:
<input type="text" name="title" value="<?php echo htmlentities($title, ENT_QUOTES); ?>" />
htmlspecialchars() and htmlentities() are used to convert strings in to HTML with correct encoding.
The ENT_QUOTES option ensures that the apostrophes and speech marks are also correctly encoded.
Use htmlentities or htmlspecialchars with the ENT_QUOTES flag to escape quotes in the text before outputting it.
<?php echo '<input type="text" name="title" value="'.htmlentities($title, ENT_QUOTES).'" />'; ?>
Related
I have a hidden field
<input type="hidden" name="thischeckout" id="thischeckout" value="<?php echo $htmlTable;?>"> in a form that is submitted.
When I use <?php echo $_POST["thischeckout"];?> on the next page, only a portion of the content is being displayed. I suspect quotes in $htmlTable are messing with the output.
Can I replace quotes with something that won't mess up when I output the POST via the php echo?
When you escape the output using htmlspecialchars, you have to tell the function the context for the escape. In this case, passing ENT_QUOTES is sufficient since that's really the only character that needs to be specially handled in a general HTML attribute.
<input type="hidden" name="thischeckout" id="thischeckout" value="<?php echo htmlspecialchars($htmlTable, ENT_QUOTES);?>">
I have some strings in the database like SNEAKERS "SUPER STAR" GOLDEN GOOSE. These are the titles for some products. When I output it normally inside a <p> it shows the quotes, but when I echo it inside an input value, <input type="text" value="<?= $product->title ?"> the string gets truncated before the first double quote, so the value becomes just SNEAKERS.
Is there a way I can output the double quotes inside the value of an input ?
EDIT:
The closing tag was a typo, in the code it is closed.
Use htmlspecialchars like so:
htmlspecialchars($product->title);
i.e
<input type="text" value="<?= htmlspecialchars($product->title) ?>">
Evaluate this html, I think you'll see where the problem lies:
<input type="text" value="SNEAKERS "SUPER STAR" GOLDEN GOOSE">
If you look closely, you'll see that the double quotes from the string are closing the double quotes for the input. The solution to this as others have pointed out is to call htmlspecialchars and pass it the string prior to outputting it.
You're also missing the ending > for the closing PHP tag.
You're missing your closing tag try this:
<input type="text" value="<?= $product->title ?>">
Also you need to escapte the double quotes inside the html (as in Wayne answer)
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
In the following code....
<td height="27" align="right" valign="middle">Social & Political</td>
And in General.php page....
<input type='text' name='category' id='category' value='<?= $_GET['category']; ?>' maxlength="25"/>
Here the value taking only 'Social', instead of 'Social & Political'. If I change this to 'Social Political', its taking perfectly. Why is that?
& has special meaning in both URIs and in HTML. In a query string, which is where you are putting it, it means "End of this key/value pair and start of the next one".
Run your string through urlencode (immediately) before inserting it into a URL.
Run your string through htmlspecialchars (immediately) before inserting it into HTML.
(urlencode shouldn't leave any HTML special characters in the string, but it is a good habit to push all data that is "not known to be HTML" through htmlspecialchars before concatenating it with HTML).
Because & is a special character.
Use PHP function urlencode() and urldecode()
use urlencode for the variables which you are passing in the query string
To complement the previous answers, this will work
a href="General.php?category=Social %26 Political"
%26 is the url code for the character &
I want to display text in html form(text field) that comes from DB so I used following code
....
.....
<input type="text" name="txtqname" id="txtqname" value="<?=$myvar ?>"></input>
....
.....
Here $myvar is variable whose value comes form DB and that may contains single or double quotes. Because of this my text is not properly displayed in text field as I want. I tried to replace double quotes with single as
....
.....
<input type='text' name='txtqname' id='txtqname' value='<?=$myvar ?>'></input>
....
.....
but still I don't get proper text. Please help me.
Thanks in advance...
Simple, all you have to do is:
<input type="text" name="txtqname" id="txtqname" value="<?= htmlspecialchars( $myvar ) ?>"></input>
Just use htmlentities() or htmlspecialchars()
http://php.net/manual/de/function.htmlentities.php
You should use proper addslashes() and stripslashes() for formatting data.
Make sure every data is properly formatted before inserting into database. Also try this mysql_real_escape_string()
You can use htmlentities function with ENT_QUOTES,
Ex: htmlentities($myvar, ENT_QUOTES);
ENT_QUOTES Will convert both double and single quotes.