3

This should be fairly easy but I don't see what I'm missing here:

I have my database and I want the alt attribute to be populated from it.

I have my code as follows:

  <img src="admin/uploads/retouch/'.$list->thumbnail.'" class="thumb-image" alt="'.utf8_encode(addslashes($list->titulo)).'" />

And it happens that in this case what's inside "titulo" in my database has " on it and I get this as a result in my code:

  <img ti!\""="" por="" ¡hazlo="" manos.="" en="" estÁ="" prestaciones="" tus="" mejorar="" alt="\" class="thumb-image" src="admin/uploads/retouch/noticia_default.png">

the sentence from database is: "MEJORAR TUS PRESTACIONES ESTÁ EN TUS MANOS. ¡HAZLO POR TI!"

Elaine Marley
  • 2,143
  • 6
  • 50
  • 86
  • possible duplicate of [What's the best practice to set html attribute via PHP?](http://stackoverflow.com/questions/2109583/whats-the-best-practice-to-set-html-attribute-via-php) – Jens Apr 10 '14 at 05:24

4 Answers4

8

You should be using htmlspecialchars not addslashes, with the utf8 option!

alt="'.htmlspecialchars($list->titulo, ENT_QUOTES, 'UTF-8').'"
fire
  • 21,383
  • 17
  • 79
  • 114
1

Use htmlentities or htmlspecialchars to escape strings in tag attributes.

IvanGL
  • 751
  • 5
  • 22
1

You need to escape such content using PHP function htmlspecialchars().

Gedrox
  • 3,592
  • 1
  • 21
  • 29
1

You should encode htmlentities instead of adding slashes:

alt="'.htmlentities($list->titulo, ENT_QUOTES, 'UTF-8').'"
Nicola Peluchetti
  • 76,206
  • 31
  • 145
  • 192