Quotes in a posted variable is not displaying with echo on the next page

Question

I have a hidden field <input type="hidden" name="thischeckout" id="thischeckout" value="<?php echo $htmlTable;?>"> in a form that is submitted.

When I use <?php echo $_POST["thischeckout"];?> on the next page, only a portion of the content is being displayed. I suspect quotes in $htmlTable are messing with the output.

Can I replace quotes with something that won't mess up when I output the POST via the php echo?

You probably need to escape the variable [`$htmlTable`](https://stackoverflow.com/a/2109602/231316) — Chris Haas, May 25 '20 at 17:04
Doesn't work. Still only getting partial value of the field. — Proventus, May 25 '20 at 18:53
Did you also set the `ENT_QUOTES` flag? Otherwise, your code might be producing something like `">`. When a parser sees an opening quote for an attribute, it keeps reading until it finds a matching quote, so in my sample it finds ` — Chris Haas, May 26 '20 at 13:00
Ah... that's EXACTLY what is happening. ```ENT_QUOTES``` solved it. Many thanks. BTW, how do I assign the answer to you? — Proventus, May 26 '20 at 20:36

score 1 · Accepted Answer · answered May 26 '20 at 21:19

When you escape the output using htmlspecialchars, you have to tell the function the context for the escape. In this case, passing ENT_QUOTES is sufficient since that's really the only character that needs to be specially handled in a general HTML attribute.

<input type="hidden" name="thischeckout" id="thischeckout" value="<?php echo htmlspecialchars($htmlTable, ENT_QUOTES);?>">

Quotes in a posted variable is not displaying with echo on the next page

1 Answers1