Character Problem with PHP and HTML

Question

I have a variable which is like

$name=' 18 " LCD TV ';

When i try to use it in a HTML input, it doesn't show the characters after the "

What can i do ?

Answer 1

Not using htmlspecialchars may lead to Cross-site Scripting attacks (search for XSS). Use this:

<input type="text" value="<?php echo htmlspecialchars($name, ENT_QUOTES);?>" />

This would html-encode quotes, <, > and & simbols in the equivalent html entities. See htmlspecialchars or htmlentities.

Addendum: The rationale behind this is the same concept to prevent SQL Injections or Shell code execution: "Filter Input, Escape Output". Every medium has special characters that you cannot output normally in that medium. For XML/HTML they are ', ", <, >, and &. For SQL they are ', ", \, \0 and some more. And for the Shell they are ;, ', ", `, $ and also some more. Every time you launch a query to the database, output something in your html or execute some command on your server via php, you need to take this into account. And for every medium PHP has its own prevention function:

• SQL: mysql_real_escape_string, mysqli_real_escape_string, pdo_quote, pg_escape_string or prepared statements.
• HTML: htmlentities, htmlspecialchars
• Shell: escapeshellcmd, escapeshellarg

Answer 2

When you output special characters (& ' " < >) in HTML you need to escape them, 1 method is doing this:

$name = htmlentities(' 18 " LCD TV ');

Answer 3

Use htmlentities or htmlspecialchars:

htmlentities will do all html tags.

htmlspecialchars will just do:

& " ' < >

Example

<input type="text" value="<?php echo htmlentities( $text );?>" />

If you do:

<input type="text" value="<?php echo $text;?>" />

Its essentially doing:

value="18 " LCD TV"

So the " after 18 is closing the value property