I have created a CRUD system for a contact form.
If i was to input speech marks ("") it will not input anything after and including the speechmarks
I use the VARCHAR datatype in the database and type=text in html
Example
In image 1. I have inputted symbols and standard text. This is fine.
In image 2. I have placed the speech marks after the = sign.
As you can see all the symbols and text that was entered before does not show as the speech mark is before it.
<div class="row">
<div class="col-md-12">
<label for="contact_name" class="form-label">Contact Name</label>
<input type="text" class="form-control" id="contact_name" name="contact_name" value="<?= $data['record']['contact_name'] ?? '' ?>" placeholder="Enter Site Name" required><br>
</div>
<div class="col-12">
<h6 for="contact_email">Contact Email</h6>
<input type="text" class="form-control" id="contact_email" name="contact_email" value="<?= $data['record']['contact_email'] ?? '' ?>" placeholder="Leave blank if none"><br><br>
</div>
<div class="col-12">
<h6 for="contact_subject">Subject</h6>
<input type="text" class="form-control" id="contact_subject" name="contact_subject" value="<?= $data['record']['contact_subject'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br>
</div>
<div class="col-12">
<h6 for="contact_message">Message</h6>
<input type="text" class="form-control" id="contact_message" name="contact_message" value="<?= $data['record']['contact_message'] ?? '' ?>" placeholder="Floor where Machine is Locatated"> <br><br>
</div>
<button type="submit">submit</button>
</div>
>Solution :
I assume you are talking about when you echo existing values into the field when the form loads? If so, then obviously it won’t show anything after double-quotes ("), because double-quotes are also used to close the value attribute in the HTML.
So for example if the output of <?= $data['record']['contact_name'] ?? '' ?> is ABC "DEF" then the final HTML input will look like this when it’s received by your browser:
<input type="text" class="form-control" id="contact_email" name="contact_email" value="ABC"DEF"" placeholder="Leave blank if none">
The browser will see value="ABC" and think that’s the value of the field, because it interprets the " after C as the end of the value attribute’s content.
To avoid this, you must HTML-encode your output, e.g.
<?= htmlspecialchars($data['record']['contact_name'] ?? '') ?>
which in my example would output ABC"DEF", which will work correctly. Demo:
<input type="text" class="form-control" id="contact_email" name="contact_email" value="ABC"DEF"">Important note: You should be HTML-encoding any data you echo into your site rountinely anyway, to avoid the danger of XSS injection attacks.
Documentation: https://www.php.net/manual/en/function.htmlspecialchars.php