-1

I have a form which users can edit.

One part of the form is a title field.

I get the previous title value and insert it into the field via PHP:

<input id="title" value=".$previousValue.">

The problem is, when the title has a " in it.

Say if the title was:

test"

It will only show this in the browser:

test

Upon an element inspection the " is there so nothing wrong with the PHP.

Can anyone tell me how to get the quote to show up on the browser?

Thanks

panthro
  • 21,049
  • 61
  • 166
  • 295
  • Check out threads/question like [this](http://stackoverflow.com/questions/14314009/which-functions-are-needed-for-secure-form-inputs) ;) – kero Jun 06 '13 at 14:29

3 Answers3

0
<input id="title" value="test""> <<<--- see the issue there?

You have to escape your quotes:

<input id="title" value="test&quot;">

So in PHP:

<input id="title" value="<?php echo htmlspecialchars($previousValue)?>">
Naftali
  • 142,114
  • 39
  • 237
  • 299
0

You should always use htmlspecialchars($your_variable) when you output to html. That will encode characters like ", >, etc. so that they will not break the html.

jeroen
  • 90,003
  • 21
  • 112
  • 129
0

You have to replace the quotation mark with an html entity, as otherwise the browser will think you are simply trying to close the value attribute:

<input id="title" value="<?php echo str_replace('"', '&quot;', $previousValue); ?>">

Edit: Or, as others have correctly pointed out, you can use a shortcut which will catch other cases as well:

<input id="title" value="<?php echo htmlspecialchars($previousValue); ?>">
Derek Henderson
  • 9,041
  • 3
  • 37
  • 71