Using a PHP variable in a text input value = statement
Solution 1
Try something like this:
<input type="text" name="idtest" value="<?php echo htmlspecialchars($name); ?>" />
That is, the same as what thirtydot suggested, except preventing XSS attacks as well.
You could also use the <?=
syntax (see the note), although that might not work on all servers. (It's enabled by a configuration option.)
Solution 2
You need, for example:
<input type="text" name="idtest" value="<?php echo $idtest; ?>" />
The echo
function is what actually outputs the value of the variable.
Solution 3
Solution
You are missing an echo. Each time that you want to show the value of a variable to HTML you need to echo it.
<input type="text" name="idtest" value="<?php echo $idtest; ?>" >
Note: Depending on the value, your echo is the function you use to escape it like htmlspecialchars.
Solution 4
From the HTML point of view everything's been said, but to correct the PHP-side approach a little and taking thirtydot's and icktoofay's advice into account:
<?php echo '<input type="text" name="idtest" value="' . htmlspecialchars($idtest) . '">'; ?>
malcolm laplante
Updated on April 14, 2020Comments
-
malcolm laplante about 4 years
I retrieve three pieces of information from the database, one integer, one string, and one date.
I echo them out to verify the variables contain the data.
When I then use the variables to populate three input boxes on the page, they do not populate correctly.
The following do not work:
id: <input type="text" name="idtest" value=$idtest>
Yes, the variable must be inside <?php var ?> for it to be visible.
So:
id: <input type="text" name="idtest" value=<?php $idtest ?> />
The field displays
/
.When I escape the quotes,
id: <input type="text" name="idtest" value=\"<?php $idtest ?>\" />
the field then displays
\"\"
.With single quotes
id: <input type="text" name="idtest" value='<?php $idtest ?>' />
the field displays nothing or blank.
With single quotes escaped,
id: <input type="text" name="idtest" value=\'<?php $name ?>\' />
the field displays
\'\'
.With a forward slash (I know that's not correct, but to eliminate it from the discussion),
id: <input type="text" name="idtest" value=/"<?php $name ?>/" />
the field displays
/"/"
.Double quotes, escape double quotes, escape double quotes on left side only, etc. do not work.
I can set an input box to a string. I have not tried using a session variable as I prefer to avoid do that.
What am I missing here?
-
icktoofay over 13 yearsTechnically
echo
is a statement, not a function. -
thirtydot over 13 yearsYou are of course correct, but it didn't seem important to make the distinction for this question.
-
thirtydot over 13 yearsWould it not be better to use
htmlspecialchars
instead in this context? -
Phil over 13 years@thirtydot
htmlentities
converts all the characters thathtmlspecialchars
does and then some -
thirtydot over 13 years@Phil Brown: Yes, so
htmlentities
needlessly converts a bunch of characters which are irrelevant to preventing XSS. It doesn't really matter - I just felt like pointing out something pedantic like the "echo is a statement" comment :) -
malcolm laplante over 13 yearsThank you all for the above and below. All three examples "echo, htmlentities, htmlspecialchar" work(had to try all to see how they operate). Your discussion displays my lack of knowledge in this area. Applications on Windows is one world (VB, SQL server, C, etc), but web applications cover a whole new slew of syntax issues/protocols. I no longer work in that world and am playing with this just for fun. I have much to learn. Thank you again from a newbie(all over again).
-
Fida over 7 yearsInfact , its a language construct :D, Of course thats not the point ;)
-
Arpit Patel over 5 yearsYou saved me man thanks a lot. I wish i could give more votes. Thank you @icktoofay