I have created a CRUD system for a contact form.
If i was to input speech marks (“”) it will not input anything after and including the speechmarks
I use the VARCHAR datatype in the database and type=text in html
Example
In image 1. I have inputted symbols and standard text. This is fine.
In image 2. I have placed the speech marks after the = sign.
As you can see all the symbols and text that was entered before does not show as the speech mark is before it.
<div class="row"> <div class="col-md-12"> <label for="contact_name" class="form-label">Contact Name</label> <input type="text" class="form-control" id="contact_name" name="contact_name" value="<?= $data['record']['contact_name'] ?? '' ?>" placeholder="Enter Site Name" required><br> </div> <div class="col-12"> <h6 for="contact_email">Contact Email</h6> <input type="text" class="form-control" id="contact_email" name="contact_email" value="<?= $data['record']['contact_email'] ?? '' ?>" placeholder="Leave blank if none"><br><br> </div> <div class="col-12"> <h6 for="contact_subject">Subject</h6> <input type="text" class="form-control" id="contact_subject" name="contact_subject" value="<?= $data['record']['contact_subject'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br> </div> <div class="col-12"> <h6 for="contact_message">Message</h6> <input type="text" class="form-control" id="contact_message" name="contact_message" value="<?= $data['record']['contact_message'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br> </div> <button type="submit">submit</button> </div>
Advertisement
Answer
I assume you are talking about when you echo
existing values into the field when the form loads? If so, then obviously it won’t show anything after double-quotes ("
), because double-quotes are also used to close the value
attribute in the HTML.
So for example if the output of <?= $data['record']['contact_name'] ?? '' ?>
is ABC "DEF"
then the final HTML input will look like this when it’s received by your browser:
<input type="text" class="form-control" id="contact_email" name="contact_email" value="ABC"DEF"" placeholder="Leave blank if none">
The browser will see value="ABC"
and think that’s the value of the field, because it interprets the "
after C
as the end of the value
attribute’s content.
To avoid this, you must HTML-encode your output, e.g.
<?= htmlspecialchars($data['record']['contact_name'] ?? '') ?>
which in my example would output ABC"DEF"
, which will work correctly. Demo:
<input type="text" class="form-control" id="contact_email" name="contact_email" value="ABC"DEF"">
Important note: You should be HTML-encoding any data you echo into your site rountinely anyway, to avoid the danger of XSS injection attacks.
Documentation: https://www.php.net/manual/en/function.htmlspecialchars.php