How to set HTML value attribute (with spaces)

Question

When I use PHP to set the value of a HTML form input element, it works fine provided I don't have any spaces in the data.

<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? "value = ".$_POST["username"] : "value = \"\""; ?> />

If I enter "Jonathan" as the username, it is repeated back to me as expected. If I enter "Big Ted", however, I only get "Big" repeated back when I submit the form.

Note that the $_POST["Username"] variable is correct; when I echo it using PHP, it is set to "Big Ted".

BalusC · Accepted Answer · 2010-06-20T04:36:09.243

37

Quote it. Otherwise the space will just become an attribute separator and everything after spaces will be seen as element attributes. Rightclick page in webbrowser and view source. It should not look like this (also see syntax highlight colors):

<input value=Big Ted>

but rather this

<input value="Big Ted">

Not to mention that this would still break when someone has a quote in his name (and your code is thus sensitive to XSS attacks). Use htmlspecialchars().

Kickoff example:

<input value="<?php echo (isset($_POST['username']) ? htmlspecialchars($_POST['username']) : ''); ?>">

edited Jun 20 '10 at 04:36

answered Jun 20 '10 at 04:20

BalusC

1,082,665
372
3,610
3,555

1

XSS has nothing to do here. Encoding required by standard. Even if you edit fully allower HTML in the admin area, you have to htmlencode values, including textarea content. – Your Common Sense Jun 20 '10 at 04:30
@Col: where did I said that XSS is related to the particular problem? :) – BalusC Jun 20 '10 at 04:31
ah yes I've overlooked it. Focused on the key word, you know :) – Your Common Sense Jun 20 '10 at 04:34
why there is a question mark (?) after isset function? can you please explain? – 057 Ahmad Hilman D Jun 01 '22 at 00:19
@057AhmadHilmanD: https://www.phptutorial.net/php-tutorial/php-ternary-operator/ – BalusC Jun 01 '22 at 08:58
https://www.phpspiderblog.com/?s=operator – Kapil Verma Apr 06 '23 at 04:35

score 3 · Answer 2 · answered Jun 20 '10 at 04:19

3

<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? "value = '".$_POST["username"]' : "value = ''"; ?> />

You have to wrap the variable result with quotes, so that the browser can know what's the content of the input.

answered Jun 20 '10 at 04:19

Cristian

198,401
62
356
264

add a quote to your name and you'll end up with same problem :) – Your Common Sense Jun 20 '10 at 04:27

score 2 · Answer 3 · answered Mar 18 '14 at 15:14

2

just make sure you put the colon after the field for example :

  <option value="'.$row['name'].'">

answered Mar 18 '14 at 15:14

amruzzzzzzzzzi

63
5

score 2 · Answer 4 · answered Jun 20 '10 at 04:20

2

<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? ('value = "'.$_POST["username"].'"') : "value = \"\""; ?> />

Be aware of your quote usage.

answered Jun 20 '10 at 04:20

meder omuraliev

183,342
71
393
434

add a quote to your name and you'll end up with same problem :) – Your Common Sense Jun 20 '10 at 04:28
@Col Shrapnel - This was a very trivial question and I'm much too used to frameworks doing the work for me to bother advising that, but sure... – meder omuraliev Jun 20 '10 at 04:39
Why not to bring an example with your favorite framework use then? – Your Common Sense Jun 20 '10 at 04:55
Because it'd be out of the scope of this simple question and just overcomplicate things. – meder omuraliev Jun 20 '10 at 05:33
His problem was he wasn't wrapping double quotes around a string which had a space in it ( properly coding an attribute having a value in HTML ), the solution was to wrap double quotes around it so it was valid HTML, thus answering his question. You're overly being nitpicky about something that isn't so major. Thank you for the downvote. – meder omuraliev Jun 20 '10 at 05:40

Your Common Sense · Answer 5 · 2010-06-20T04:35:53.330

2

As you see its not PHP5 or even PHP question at all.
Basic HTML knowledge is obligatory for one who want to be a PHP user.

And with using templates it looks way more neat:

Getting data part code:

$username = "";
if isset($_POST['username'])) $username = htmlspecialchars($_POST["username"]);

And template code:

<input type="text" name="username" value="<?=$username?>">

If you divide your code to 2 parts it become way more supportable and readable.

edited Jun 20 '10 at 04:35

answered Jun 20 '10 at 04:26

Your Common Sense

156,878
40
214
345

2

It's not a good practice to use short open tags since the server can have them disabled though, I would advise against recommending that to the OP. – meder omuraliev Jun 20 '10 at 04:37
1

@meder well just turn it on. Not a big deal. That's what configuration settings are for. – Your Common Sense Jun 20 '10 at 04:54
2

Why would you? It's a bad practice to use it in the first place. That and I wouldn't ever use PHP if I managed the server. – meder omuraliev Jun 20 '10 at 05:33
1

@meder who said it's "bad practice"? – Your Common Sense Jun 20 '10 at 05:37
@Col Shrapnel - Most experienced PHP developers agree it is bad practice. They're also being phased out in PHP6, are they not?. http://stackoverflow.com/questions/200640/are-php-short-tags-acceptable-to-use – meder omuraliev Jun 20 '10 at 05:43
1

@meder no, they are not being phased out in PHP6, it's empty rumor. Spreaded by these "most experienced PHP developers". I don't see one there though. ZF uses short tags in their template system if you prefer fat authority as a proof. – Your Common Sense Jun 20 '10 at 06:04

R Sreeram · Answer 6 · 2021-10-12T19:44:07.473

-1

Used quotes and it worked. On the other side, needed to use the following:

$param=preg_replace('/[^A-Za-z0-9 ]/','', $param);

edited Oct 12 '21 at 19:44

answered Oct 12 '21 at 19:26

R Sreeram

1
1

That looks like it would remove some characters from the parameter but leave the spaces. The spaces should get encoded, but this doesn't do that. – Stephen Ostermiller Oct 12 '21 at 22:45

How to set HTML value attribute (with spaces)

6 Answers6

Linked

Related