html - Using a PHP variable in a text input value = statement

Question

I retrieve three pieces of information from the database, one integer, one string, and one date.

I echo them out to verify the variables contain the data.

When I then use the variables to populate three input boxes on the page, they do not populate correctly.

The following do not work:

id: <input type="text" name="idtest" value=$idtest>

Yes, the variable must be inside <?php var ?> for it to be visible.

So:

id: <input type="text" name="idtest" value=<?php $idtest ?> />

The field displays /.

When I escape the quotes,

id: <input type="text" name="idtest" value="<?php $idtest ?>"  />

the field then displays "".

With single quotes

id: <input type="text" name="idtest" value='<?php $idtest ?>'  />

the field displays nothing or blank.

With single quotes escaped,

id: <input type="text" name="idtest" value='<?php $name ?>'  />

the field displays ''.

With a forward slash (I know that's not correct, but to eliminate it from the discussion),

id: <input type="text" name="idtest" value=/"<?php $name ?>/"  />

the field displays /"/".

Double quotes, escape double quotes, escape double quotes on left side only, etc. do not work.

I can set an input box to a string. I have not tried using a session variable as I prefer to avoid do that.

What am I missing here?

Answer 1

Try something like this:

<input type="text" name="idtest" value="<?php echo htmlspecialchars($name); ?>" />

That is, the same as what thirtydot suggested, except preventing XSS attacks as well.

You could also use the <?= syntax (see the note), although that might not work on all servers. (It's enabled by a configuration option.)