lol.. not sure how to word the title!

Ok, If I store HTML in the database, specifically a href link
<a href="blah.com">click</a>

i am trying to pull it back out to an input text field, but since it has the " s its screwing up the html
<input type="text" name="msg_' . $row['UID'] . '" value="' . stripslashes($row['MSG']) . '" size="75" maxsize="100" />

i tried the addslashes/stripslashes... but it doesnt help?

htmlentities() (http://ca3.php.net/manual/en/function.htmlentities.php)

Rule of thumb: If you're using addslashes and stripslashes, you probably shouldn't be.

care to elaborate Mr. penagate?

the reason I am using them is that I have some things like "news items" and gift descriptions that need to be edited. When pulling them from the database and setting the value of a textbox, what if the is a ' in it? or " , etc?

examples are always greatly appreciated :)


looking at the htmlentities... I cant see how it would work? fine, it converts to ' etc... but when loading that into a text, converting it back will be the same issue? wont it?

wait.... textarea will fix the whole thing wont it.

Edit:
Yes, it works fine with add/strip slashes.. tell me why I shouldnt use it?

Edit again:
Im answering my own questions... ok, im seeing how this is safer :)

thanks!

htmlentities() will convert all of the HTML entities (ampersands, quotes, etc) in the text to their HTML equivalent (&amp;, &quot;, etc). if you absolutely need to reverse this, you can use html_entity_decode() (http://ca2.php.net/manual/en/function.html-entity-decode.php).

using addslashes() or stripslashes() is ... useless? you can't "escape" the attribute values of HTML tags like you're trying to. and if your data is in a database already and you're retrieving it, then you don't need to worry about stripping any slashes or adding any. the only thing I could even think of that you might use it for is data entry for a database, and if you're using these functions to do that then you should definitely STOP. use mysql_real_escape_string() instead, or use prepared SQL statements if you using PDO or MySQLi.

Im seeing that. I was using it because when printing it back to the page inside the value="..." part of a text input, the " and ' were messing it up. But, using the textarea + the htmlentities() works like a charm!

Thanks!

you can actually just use a regular <input> and htmlentities(), but if you actually need a <textarea> then I guess that works too.

I tried using regular input text , but since the html code had "s in it, it was messing up my code when using echo.

I'm not sure how, but it sounds like you were just using it wrong. A textarea ignores quotes in the first place. anyway, the proper way to use this function (I hope you looked at the examples on PHP.net, too):
<?php
$myvar = 'this text has """" lots of double quotes!';
?>
<input type="text" value="<?php echo $myvar; ?>" />

<!--
this will obviously output the following, which will break the <input>'s value attribute:
<input type="text" value="this text has """" lots of double quotes!" />
-->

<input type="text" value="<?php echo htmlentities($myvar); ?>" />

<!--
however, this will output properly formatted text instead, and will not break:
<input type="text" value="this text has &quot;&quot;&quot;&quot; lots of double quotes!" />
-->
hope that helps!