0

Say you have a text <INPUT> for a user's name and they decide to type in

Johnny's Pizza

This is saved in DB as

Johnny's Pizza

But if the user decides to edit, I repopulate the text <INPUT> as follows

echo form_input('name', htmlspecialchars($name, ENT_QUOTES, 'UTF-8'));

which will show as

Johnny&#039;s Pizza

inside the input field.

PHP.net has a comment here suggesting to use 

echo form_input('name', htmlspecialchars($name, ENT_QUOTES, 'UTF-8', FALSE));

that is, FALSE referring to $double_encoding, but I still get

Johnny&#039;s Pizza

in the input field.

Is there a way around this double encoding? Is this something that can be fixed while still using ENT_QUOTES?

Using Codeigniter 2.0.3.

pepe
  • 9,799
  • 25
  • 110
  • 188

1 Answers1

2

Using htmlspecialchars is the correct approach, and won't give the result you describe if you output it directly into the page.

Presumably the form_input function expects to receive text and not HTML, so it runs htmlspecialchars itself. If so, the solution is to just pass it text and not encode the value for HTML first.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I'm using codeigniter as framework here - so if you're correct, you're saying I could drop `htmlspecialchars` from the form inputs? – pepe Dec 03 '11 at 17:22
  • apparently, codeigniter's form helper already takes care of `htmlspecialchars` running on your values --- http://codeigniter.com/forums/viewthread/158843/P15 --- so the way I'm doing it here, means I'm doing it twice – pepe Dec 03 '11 at 17:29
  • 1
    If we find [that function](https://github.com/EllisLab/CodeIgniter/blob/develop/system/helpers/form_helper.php#L185), and follow through until we hit [this function](https://github.com/EllisLab/CodeIgniter/blob/develop/system/core/Common.php#L561) we can see that `htmlspecialchars` is already being used and you don't need to use it again. – Quentin Dec 03 '11 at 17:30
  • right on --- nice little feature of codeigniter I must say --- thx – pepe Dec 03 '11 at 17:32
  • I'd consider it a fundamental requirement for any library that generated form markup. – Quentin Dec 04 '11 at 09:30