Non-escaped data breaks input tag value attribute

[grahamsimmons]

How can I place the data Fred "O'Brien" Bloggs into the VALUE attribute of an INPUT tag without breaking the HTML code?

 

Example ...

 

//Get name from users table where id is 1.

$res = @mysql_query("SELECT name FROM users WHERE ID='1'");

$name = mysql_result($res, 0, "name"); //Now contains Fred "O'Brien" Bloggs

 

//Now place $name into INPUT tag

<input type="text" name="name" value="<?php echo $name?>">

 

Whether I use double or single quote on the value attribute I'm going to get an issue due to the data being placed in it. To stop the error I could use mysql_real_escape_string, but I don't want to show escaped data to the user as that's not what they entered.

 

Please help a man nearly in tears!

[Adam]

Converting them to HTML entities should work:

 

<input type="text" name="name" value="<?php echo htmlentities($name); ?>">

[RussellReal]

when you submit that form, it WILL still be sent as & < etc...

 

So when you receive the data, apply html_entity_decode() to it to make it plain text again without all the html specific entities

[grahamsimmons]

Both htmlentities and html_entity_decode worked great, so not quite sure which I should use or even if it makes any difference!

 

Thank you very much MrAdam and RussellReal for such a quite reply and my tears are now tears of joy 

[thebadbad]

You use both; htmlentities() to encode the data and then html_entity_decode() to decode it back to the original string. Although I would recommend the more simple htmlspecialchars() and htmlspecialchars_decode() in your example.