Special Characters - Outputting to forms


Outputting data containing special characters such as quotes, slashes, html code, etc..

When outputting textual data into forms, the author must ensure that any special characters such as quotes do not interfere with the <input> or <text area> tags.  This is done by calling the htmlentities or htmlspecialchars functions.

However, there is still the problem with magic quotes colliding with your data.  The best practice is:
- Use printf and a format string
The format string should be in double quotes with any quotes values inside it using single quotes. This, however, prevents a \n character from issuing a linefeed, so it must be explicitly written as a separate line.

- Wrap data with htmlentities.

Example:

	$fmt = "  <td><input type='text' name='%s' value='%s' size=%s></td>\n";
	printf($fmt, $name, htmlentities($value), $size);
	print "\n";<p>
	

Similarly, when printing data which possibly could have quotes in it use the htmlentities or htmlspecialchars option.

	echo "Value of input field is ".htmlentities($infield);

Note: htmlentities and htmlspecialchars, by default, convert double quotes to &quot; and leave single quotes alone.  This behavior can be modified by using the ENT_QUOTES or ENT_NOQUOTES constants as the second argument of this function.

E.g.,

	echo htmlentities($infield,ENT_QUOTES);

will convet both single and double quotes.

See PHP documentation
Also see http://www.onlamp.com/pub/a/php/2004/08/26/PHPformhandling.html