--- Andy B <[EMAIL PROTECTED]> wrote:
i have the following html line: <input type="text" name="referred" value=<?echo $old['Referred'];?> accesskey="d" id="id-referred"> the php variable $old['Referred'] was pulled from a mysql table. the full string that this variable holds is "I work for you..." but when used as a default value in an input text field for html the only part that shows up in the form itself is "I". is there anything going on that im missing somewhere??
Yes. Perform the subsitution manually. You'll get <input type="text" name="referred" value=I work for you...
accesskey="d" id="id-referred">
You need quotes around the PHP code. <input type="text" name="referred" value="<?echo $old['Referred'];?>" accesskey="d" id="id-referred">
To prevent a cross site scripting vulnerability, you'll want to use htmlentities(), also.
<input type="text" name="referred" value="<?echo htmlentities($old['Referred']);?>" accesskey="d" id="id-referred">
Other wise the value could have a double quote within it and a malicious user could effectively "end" your input text box and inject their own HTML.
---John Holmes...
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
