I am pulling information from an SQL database to populate in a form using the PHP Echo command. One of the rows from the sql database includes HTML markup.
When pulling information and populating the form with the data, it will not pull the HTML markup in the form. It looks like this:
Is there a way to have the full HTML markup populate in the form? This is the code I am currently using:
<input name="tag" type="text" id="tag" value="<?php echo $rows['tag']; ?>" size="30"/>
Yes, you would need to use htmlentities() to show the entity code (which can be parsed by the browser as plain text) without actually forcing the browser to render the HTML.
echo htmlentities($rows['tag']);
You need to escape the html code you want to use for populating the form using either htmlentities() or htmlspecialchars(). (See here)
It is in any case good and I would even say needed to use these functions whenever you echo values from a database or other untrusted source. This to prevent script injection, one of the major pitfalls in web development.
This should do it:
<input name="tag" type="text" id="tag" value="<?= htmlspecialchars($rows['tag']) ?>" size="30"/>
You are inserting a double quote into the input box like this:
value="<a href="http://www.google.com">Google</a>"
This should be encoded to html with the function htmlspecialchars
