-1

I have a form which users can edit.

One part of the form is a title field.

I get the previous title value and insert it into the field via PHP:

<input id="title" value=".$previousValue.">

The problem is, when the title has a " in it.

Say if the title was:

test"

It will only show this in the browser:

test

Upon an element inspection the " is there so nothing wrong with the PHP.

Can anyone tell me how to get the quote to show up on the browser?

Thanks

panthro
  • 22,779
  • 66
  • 183
  • 324
  • Check out threads/question like [this](http://stackoverflow.com/questions/14314009/which-functions-are-needed-for-secure-form-inputs) ;) – kero Jun 06 '13 at 14:29

3 Answers3

0
<input id="title" value="test""> <<<--- see the issue there?

You have to escape your quotes:

<input id="title" value="test&quot;">

So in PHP:

<input id="title" value="<?php echo htmlspecialchars($previousValue)?>">
Naftali
  • 144,921
  • 39
  • 244
  • 303
0

You should always use htmlspecialchars($your_variable) when you output to html. That will encode characters like ", >, etc. so that they will not break the html.

jeroen
  • 91,079
  • 21
  • 114
  • 132
0

You have to replace the quotation mark with an html entity, as otherwise the browser will think you are simply trying to close the value attribute:

<input id="title" value="<?php echo str_replace('"', '&quot;', $previousValue); ?>">

Edit: Or, as others have correctly pointed out, you can use a shortcut which will catch other cases as well:

<input id="title" value="<?php echo htmlspecialchars($previousValue); ?>">
Derek Henderson
  • 9,388
  • 4
  • 42
  • 71