Quotes (' ") as value in an HTML form

Rohan_Hill

In the HTML output of a PHP script, I have an input field which contains a value which has previously been set by the user. My problem is that this value could contain a " or a '. Since the value of the field needs to be surrounded by quotes in the HTML, it doesn't work when people have previously entered quotes as this value.

I've tried getting PHP to put a \ before the quotes but this doesn't work in HTML, and if I replace the quotes with say the ' code which makes a ', that text shows up in the input field.

Other than javascript, anyone know a way around this?

jpmoriarty

im curious as to why putting a slash before them doesnt work - it should do.

Personally first I'd htmlspecialchars() to get rid of the " and turn them into "'s (which should work fine in a value field, and i'd use " to surrond the value so that the apostrophies are ignored:

User enters - this is "my value" and isn't it nice (which we'll assign to $variable)

$variable = htmlspecialchars($variable);
echo "<input type=\"hidden\" value=\"$variable\">";

I cant see why that wont work.

Pig

Usually, you should use htmlspecchars with most form data to prevent your problem, as well as malicious tags such as <img> or even worse: <script>