echo a form input with backslashes

Question

trying to get the html code working by using echo,

this works as html:

<input type="text" name="ordernum" value="<?= isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '' ?>" />

but when I escape the value with backslash ( i have tried dozens of combinations and read a lot on stackoverflow,but still cant fix it) I get unexpected T_STRING errors .

echo ' <input type="text" name="ordernum" value=\'= isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '' \' />';

You can't just write arbitrary PHP code *in the middle of a string literal*. — Quentin, May 19 '14 at 13:26

score 0 · Answer 1 · edited May 23 '17 at 12:20

0

As Quentin has commented:

You can't just write arbitrary PHP code in the middle of a string literal

It's because of the $_POST['ordernum'] part.

Re-write it like this:

$val = isset($_POST["ordernumW]) ? htmlspecialchars($_POST["ordernum"]) : "";

echo "<input type='text' name='ordernum' value='$val' />";

edited May 23 '17 at 12:20

Community

1
1

answered May 19 '14 at 13:28

Albzi

15,431
6
46
63

score 0 · Answer 2 · answered May 19 '14 at 13:28

0

You cant use arbitrary code in a string literal. First assign the value in one variable and use that variable in echo statement.

$orderNum = isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '';
echo ' <input type="text" name="ordernum" value="'.$orderNum.'" />';

answered May 19 '14 at 13:28

Manibharathi

945
6
18

1

A ternary condition is perfectly valid in a string definition. You should just remove the `=` and `?>` tags and properly concatenate ;-) – svvac May 19 '14 at 13:30
1

@user3556674 ok and accept this answer and close this question. – Manibharathi May 20 '14 at 02:26

score 0 · Answer 3 · answered May 19 '14 at 13:28

0

You need to escape with \ the characters that may end your string (i.e. specifically string delimiters " and ').

Those two lines work:

echo "<input type=\"text\" name=\"ordernum\" value=\"" . (isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '') . "\" />";
echo '<input type="text" name="ordernum" value="' . (isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '') . '" />';

answered May 19 '14 at 13:28

svvac

5,814
3
17
22

as already said [here](http://stackoverflow.com/questions/23738996/echo-a-form-input-with-backslashes#comment36492633_23738996) you cannot use arbitrary condition inside a string – krishna May 19 '14 at 13:33
This code is perfectly valid. The ternary condition evaluates to either the HTML-escaped version of `$_POST['ordernum']` or the empty string, which is concatenated to the first part. You can't use a `if` statement in a string definition, but there's nothing preventing you from concatenating literals, function results or ternary conditions. – svvac May 19 '14 at 13:37

score 0 · Answer 4 · answered May 19 '14 at 13:29

This is what it should be:

echo('<input type="text" name="ordernum" value="'.(isset($_POST['ordernum'])?htmlspecialchars($_POST['ordernum']):'').'">');

You use a full-stop to concatenate strings, so you should be ending the first portion of the string, adding a full-stop, then the dynamic value, another full stop, then the remainder of the string.

So in you're string, what you're doing wrong is here:

value=\'= isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '' \'

Like this:

"first part of string".$myvariable."last part of string";

You only need to escape the quote type which the string is contained by also:

"I need to escape this \" but not this ' "
'I need to escape this \' but not this " '

score 0 · Answer 5 · answered May 19 '14 at 13:31

0

$val = isset($_POST['ordernum']) ? htmlspecialchars($_POST['ordernum']) : '';

echo '<input type="text" name="ordernum" value="'. $val. '" />';

answered May 19 '14 at 13:31

Kanishk Dudeja

1,201
3
17
33

What advantage does this bring over the ternary if statement? – Luke May 19 '14 at 13:32

echo a form input with backslashes

5 Answers5