HTML form displaying values as <?=$name?>

[shadiadiph]

Hi,

 

Probably a silly question I have a page where I save a form with <input type="text" name="name" value="<?=$name?>" />

to an SQL database

 

When I call it from the database $name is already called prior to calling the form but when it displays it displays the input field with the php code <?=$name?> I tried <?php echo or just using $name got the same results each time is there anyway to make this work so it displays the variable instead of the php text?

[KaiSheng]

1) The value is the one that shows up on the form page.

2) Is your form using PHP_SELF method?

3) What are you trying to achieve?

 

---

I assumed that you want to make a form that auto generates the username for the user so that they do not need to type again.

So, the code will be

<input type="text"  name="username" value="<?php echo $row['username']; ?>" readonly="readonly"  >

 

Please remember your query on the top.

[shadiadiph]

Actually i am:

 

1) saving the form with <input type="text" name="name" value="<?=$name?>" /> to sql

2) calling $name

3) calling $form which has the above input tag

4) echo $form and it is showing the php code as the value

Edited November 15, 2013 by shadiadiph

[shadiadiph]

Solved it with just had to evaluate the php code which must be like <input type="text" name="name" value="<?php echo $name ?>" /> when it is saved to work

 

 

$form=$fdata["form"];
eval('?> ' .  $form . ' <?php ');

[Barand]

With PHP version < 5.4, the following willl work only if short_tags are enabled.

<input type="text" name="name" value="<?=$name?>" />

if short_tags as disabled in the php.ini file you need to use

<input type="text" name="name" value="<?php echo $name?>" />

Version >=  5.4  - this will work regardless of short_tag setting

<input type="text" name="name" value="<?=$name?>" />

There should be no need for you to use eval() at all.

Edited November 15, 2013 by Barand

[mac_gyver]

by using eval() you have opened yourself up to let hackers run their php code on your server. you must now validate that the $name variable (or any other value you put into the eval() statement) does not contain php code. does the rest of your code contain sufficient validation to insure someone isn't going to take over your web site?

 

databases are for storing data, not code. if you want to store html makeup in your database, you need to use a template system where values have place-holders and the template essentially does a search/replace at runtime to put the values into the markup.

Edited November 15, 2013 by mac_gyver

[shadiadiph]

so you mean something along the lines if i must store a form it should be save as <input type="text" name="name" value="#_namex" />

 

And when i call the $form use str_replace or preg_replace to change it up?

[mac_gyver]

yes to your last post.

[shadiadiph]

thanks makes sense guess i need to sleep more brain is not working 100% lol