Wednesday, January 6, 2016

php, escape quotes in html input value



In form
 <input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
You may find if  

$_POST['firstname']=O'test may not work.
We need to use  htmlspecialchars or  htmlentities()

But we need to use  ENT_QUOTES to esacpe single, i.e.
 htmlspecialchars($_POST['firstname'],ENT_QUOTES) 

 More about htmlspecialchars:
  • '&' (ampersand) becomes '&amp;'
  • '"' (double quote) becomes '&quot;' when ENT_NOQUOTES is not set.
  • "'" (single quote) becomes '&#039;' (or &apos;) only when ENT_QUOTES is set.
  • '<' (less than) becomes '&lt;'
  • '>' (greater than) becomes '&gt;'
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)