using a PHP variable in an text input value = statement

Question

I retrieve three pieces of information from the database. 1 integer, 1 string, 1 date. I echo them out to verify the variables contain the data.

When I then use the variables to populate three input boxes on the page, they do not populate correctly.

The following do not work:

id: <input type="text" name="idtest" value=$idtest>

yes, the variable must be inside for it to be visible

so

id: <input type="text" name="idtest" value=<?php $idtest ?> />

the field displays /

When I escape the quotes

id: <input type="text" name="idtest" value=\"<?php $idtest ?>\"  />

the field then displays \"\"

With single quotes

id: <input type="text" name="idtest" value='<?php $idtest ?>'  />

The field displays nothing or blank

With single quotes escaped

id: <input type="text" name="idtest" value=\'<?php $name ?>\'  />

The field displays \'\'

with a forward slash (I know that's not correct, but to eliminate it from discussion)

id: <input type="text" name="idtest" value=/"<?php $name ?>/"  />

The field displays /"/"

double quotes, escape double quotes, escape double quotes on left side only, etc do not work.

I can set a input box to a string. I have not tried using a session variable as I prefer to avoid do that.
What am I missing here?

icktoofay · Answer 1 · 2010-12-16 01:38:03Z

up vote 4 down vote

Try something like this:

<input type="text" name="idtest" value="<?php echo htmlspecialchars($name); ?>" />

That is, the same as what thirtydot suggested, except preventing XSS attacks as well.

You could also use the <?= syntax (see the note), although that might not work on all servers. (It's enabled by a configuration option.)

edited Dec 16 '10 at 1:38

answered Dec 15 '10 at 4:45

icktoofay
19.6k1836

Would it not be better to use htmlspecialchars instead in this context? – thirtydot Dec 15 '10 at 4:54

@thirtydot: You're probably right. I'll change it. – icktoofay Dec 15 '10 at 5:02

@thirtydot htmlentities converts all the characters that htmlspecialchars does and then some – Phil Dec 15 '10 at 5:02

+1 for thinking about XSS – thirtydot Dec 15 '10 at 5:03

1

@Phil Brown: Yes, so htmlentities needlessly converts a bunch of characters which are irrelevant to preventing XSS. It doesn't really matter - I just felt like pointing out something pedantic like the "echo is a statement" comment :) – thirtydot Dec 15 '10 at 5:08

show 2 more comments

feedback

thirtydot · Answer 2 · 2010-12-15 04:44:17Z

up vote 0 down vote

You need, for example:

<input type="text" name="idtest" value="<?php echo $idtest; ?>" />

The echo function is what actually outputs the value of the variable.

answered Dec 15 '10 at 4:44

thirtydot
51.4k72655

1

Technically echo is a statement, not a function. – icktoofay Dec 15 '10 at 4:45

You are of course correct, but it didn't seem important to make the distinction for this question. – thirtydot Dec 15 '10 at 4:50

feedback

asked	1 year ago
viewed	1,707 times
active	1 year ago

using a PHP variable in an text input value = statement

2 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged php html variables input value or ask your own question.

using a PHP variable in an text input value = statement

2 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged php html variables input value or ask your own question.

Hello World!

Related