In (X)HTML, attribute values should be enclosed by double or single quotes. But a common source of errors and confusion arises when those values themselves contain double or single quotes. This is especially common for form input fields, where the values might contain data obtained from a database or supplied previously by the user.
<input type="text" name="last_name" value=""My quote!"" /> but another fix is using PhP - i found this with google search
Consider the case of an input text field for last name:
Usually, attribute values are surrounded by double quotes, but single quotes are also allowed, and serve to highlight the pitfall here. Say that the value of the last name text field is taken from a database of users, and this particular user’s last name is “O’Reilly” – the PHP code will be:
And the HTML output will be:
This will make the last name appear as just “0” in a browser, and will be sent as that when submitting the form. This is because the single quote in “O’Reilly” is taken as marking the end of the value. What we want is to encode the quote character so that HTML understands what we mean is the literal character for a single quote. The encoded version of a single quote is “'”. The encoding can be done in a number of ways. For example, we can use the function
str_replace() to replace all occurrences of “‘” with “'”. But the most convenient and complete way is to use the
htmlentities() function on the
$lastName variable, as in the following PHP code:
Which will output:
Although “O’Reilly” is now not in its literal form in the HTML code, it will be displayed and sent properly from a form on an HTML page as seen in a browser.