Do escape value of hidden input

Question

I have a problem with 'hidden',

PHP:

$text = addslashes("Black Sun's zenith");
echo "<input type='hidden' value=".$text." name='saveCard[]'>";

showing the actual code is:

<input type="hidden" value="Black" sun\'s="" zenith="" name="saveCard[]">

to show the correct code is:

<input type="hidden" value="Black Sun's zenith" name="saveCard[]">

Thank all.

score 5 · Accepted Answer · answered Jul 07 '14 at 12:34

5

addslashes is a generic routine for escaping content for languages that use the \ character to start an escape sequence. HTML is not such a language, and most languages that are have a better, more specific function to handle escaping.

Use htmlspecialchars, not addslashes to escape content for HTML.

Since the attribute value contains spaces, you also need to wrap it in quote characters.

echo "<input type='hidden' value=\"".htmlspecialchars($text)."\" name='saveCard[]'>";

As a rule of thumb, try to avoid putting HTML inside PHP strings.

?>
    <input 
        type="hidden"
        value="<?php echo htmlspecialchars($text); ?>" 
        name="saveCard[]">
<?php

answered Jul 07 '14 at 12:34

Quentin

800,325
104
1,079
1,205

data not saved to the database. Problem caracters = "Sun's". – A. M. Mérida Jul 07 '14 at 12:54
1

@A.M.Mérida — Probably because something is wrong with the code for taking the submitted data and putting it into the database. See http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php – Quentin Jul 07 '14 at 12:55

score 0 · Answer 2 · edited Jul 07 '14 at 13:05

0

Yes, put {} around $text variable should help.

edited Jul 07 '14 at 13:05

Sled

16,514
22
110
148

answered Jul 07 '14 at 12:41

Rod Watts

1
2

Do escape value of hidden input

2 Answers2