I have created a CRUD system for a contact form.
If i was to input speech marks ("") it will not input anything after and including the speechmarks
I use the VARCHAR datatype in the database and type=text in html
Example
In image 1. I have inputted symbols and standard text. This is fine.
In image 2. I have placed the speech marks after the = sign.
As you can see all the symbols and text that was entered before does not show as the speech mark is before it.
<div >
<div >
<label for="contact_name" >Contact Name</label>
<input type="text" id="contact_name" name="contact_name" value="<?= $data['record']['contact_name'] ?? '' ?>" placeholder="Enter Site Name" required><br>
</div>
<div >
<h6 for="contact_email">Contact Email</h6>
<input type="text" id="contact_email" name="contact_email" value="<?= $data['record']['contact_email'] ?? '' ?>" placeholder="Leave blank if none"><br><br>
</div>
<div >
<h6 for="contact_subject">Subject</h6>
<input type="text" id="contact_subject" name="contact_subject" value="<?= $data['record']['contact_subject'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br>
</div>
<div >
<h6 for="contact_message">Message</h6>
<input type="text" id="contact_message" name="contact_message" value="<?= $data['record']['contact_message'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br>
</div>
<button type="submit">submit</button>
</div>
CodePudding user response:
I assume you are talking about when you echo existing values into the field when the form loads? If so, then obviously it won't show anything after double-quotes ("), because double-quotes are also used to close the value attribute in the HTML.
So for example if the output of <?= $data['record']['contact_name'] ?? '' ?> is ABC "DEF" then the final HTML input will look like this when it's received by your browser:
<input type="text" id="contact_email" name="contact_email" value="ABC"DEF"" placeholder="Leave blank if none">
The browser will see value="ABC" and think that's the value of the field, because it interprets the " after C as the end of the value attribute's content.
To avoid this, you must HTML-encode your output, e.g.
<?= htmlspecialchars($data['record']['contact_name'] ?? '') ?>
which in my example would output ABC"DEF", which will work correctly. Demo:
<input type="text" id="contact_email" name="contact_email" value="ABC"DEF"">Important note: You should be HTML-encoding any data you echo into your site rountinely anyway, to avoid the danger of XSS injection attacks.
Documentation: https://www.php.net/manual/en/function.htmlspecialchars.php
CodePudding user response:
Use your browser's debugging tools to observe the actual HTML that you are emitting to the client. There you will see the difference between something like this:
value="text without quotes"
and something like this:
value="text with "quotes""
From the perspective of the web browser's rendering engine, what would be the "value" of the value attribute in the latter example? It would be simply "text with ", and everything afterward is just nonsense that gets ignored.
HTML-encode your values before outputting them. Something like this:
value="<?= htmlentities($data['record']['contact_name'] ?? '') ?>"
Which would then output as:
value="text with "quotes""
Which is more meaningfully parsed by the browser's rendering engine.