I know that when taking data from a form and putting it into a MySQL database that the data should be escaped using mysql_real_escape_string() to prevent SQL injections. My question is a little different.
I am pulling data from a MySQL database and then displaying it on the page, but I am having a problem. Suppose my data looks like this:
This is some test data, and here's a quote. For good measure, here are "some more" quotes.
Now, my php code would something like this:
echo '<input type="text" value="' . $data . '">';
This results in a broken HTML page, because the data has quotes inside it and it’s being displayed inside an input tag that encompasses the data with quotes.
See the problem?
What is the best solution for this?
Just like
mysql_real_escape_string()is for SQL operations, on the HTML side of things, it’shtmlspecialchars().