Using htmlentities in a string

问题

I know I should be using htmlentities for all my form text input fields but this doesn't work:

<?php
echo "<tr>
        <td align=\"right\">".Telephone." :</td>    
        <td><input type=\"text\" name=\"telephone\" size=\"27\"
            value=\"htmlentities($row[telephone])\"> Inc. dialing codes
        </td>    
</tr>";
?>

It simply shows the input value as "htmlentities(0123456789)" in the form? What have I done wrong please?

回答1:

try using

value=\"" . htmlentities($row[telephone]) . "\"

there. Currently, your string simply contains the htmlentities string and splices the variable in. You need to get out the string, call the function and put it's result in place, as above.

回答2:

You can't call a function in the middle of a string. You need to get the return value from the function call and then include that in the string.

However...

<tr>
    <td align="right">
        <label for="telephone">Telephone:</label>
    </td>    
    <td>
        <input type="text" 
               name="telephone" 
               id="telephone"
               size="27" 
               value="<?php 
                   echo htmlentities($row[telephone]); 
               ?>"> 
        Inc. dialing codes 
    </td>
</tr>

... would be cleaner.

As would getting rid of the deprecated presentational markup and use of tables for layout.

回答3:

This will work:

<?php
echo "    <tr>
                    <td align=\"right\">Telephone :</td>    
                    <td><input type=\"text\" name=\"telephone\" size=\"27\" value=\"".htmlentities($row[telephone])."\"> Inc. dialing codes</td>    
            </tr>";
?>

BTW, I also corrected some very strange syntax you have going on here, like where you concatenate the constant "Telephone", which really should be inside the string. These kinds of details are important and will break your code easily.

Also, I suggest using single quotes, instead of double, around a string like this so that you don't have to escape all of the double quotes inside the string.

回答4:

@workmad3: that won't work as he's doing PHP.

<?php echo '<tr>
                <td align="right">' . Telephone . ' :</td>    
                <td><input type="text" name="telephone" size="27" value="' . htmlentities($row[telephone]) . '" /> Inc. dialing codes</td>    
        </tr>';

回答5:

if you're just looking for making-your-output-safe-in-hml; You should use htmlspecialchars() instead, since its 'only' an telephone number.

htmlspecialchars($row[telephone], ENT_QUOTES);

htmlentities() is a bit slower and not as good with multibyte characters. But I'm guessing you're not getting to those problems just jet.

回答6:

If you want to combine a large section of HTML and PHP variables there are two things you can do.

One, use a HEREDOC construction.

$txt = <<<HERETEXT
Put your HTML here.
HERETEXT;

echo $txt;

Second, use a first class variable to name a function, then use that in the HEREDOC.

$he = 'htmlentities';

$txt = <<<HERETEXT
{$he($string, ENT_QUOTES, 'UTF-8')}
HERETEXT;

echo $txt;

However, HTML should not be handled in very large chunks, owing to the increase risk of nasty errors. Also, you might repeat yourself needlessly.

回答7:

First of all, don't echo your HTML in a string. Separate code from markup.

<tr>
    <td align="right">Telephone :</td>
    <td><input type="text" name="telephone" size="27"
        value="<?php echo htmlentities($row['telephone']); ?>"> Inc. dialing codes</td>
</tr>

来源：https://stackoverflow.com/questions/209237/using-htmlentities-in-a-string