Use of double quotes in a 'input type=“text”' value wont work, string stops at double-quote !

Question

How can I make it possible for users to use the \'\"\' (double quote) inside a textfield...

Whenever I do use double-quote in the field (the value) then when receiving t

Answer 1

The reason it isn't working when you're outputting it into the input is because the value is being truncated at the quote. You'll need to use htmlspecialchars() on the output.

Answer 2

Its not the job of the JS to modify the input string, server should make sure it can accept what its getting regardless.

You could escape out the double quotes with another value either Assci symbol or HTML " etc. before you pass it into your mysql escape function?

Answer 3

You're mixing up two things: mysql_real_escape_string is used to prepare strings for storing in a mysql database. htmlentities is used to prepare strings for echoing in the browser. Both are important to do, but calling one after the other on the same string can't be expected to work. Do something like the following:

// Copy string after escaping for mysql into $db_headline
$db_headline= mysql_real_escape_string($_POST['headline']);

// Copy string after escaping for page display into $html_headline
$html_headline = htmlentities($_POST['headline']);

// Store the headline in the database

...

?>
<input type="text" name="headline" value="<?php echo $html_headline ?>" />

...

Answer 4

You have to use htmlspecialchars($str, ENT_QUOTES) or htmlentities($str, ENT_QUOTES) to convert the quotes to the HTML entity ". Those function also take care of other characters that should be encoded.

mysql_real_escape_string() is only meant for escaping single quotes in database queries, so that you can correctly enter strings with single quotes into your database (and avoid SQL injections).

EDIT: Added parameters. Thanks to micahwittman