I know I should be using htmlentities for all my form text input fields but this doesn't work:
<?php
echo "<tr>
<td align=\"right\">".Telephone." :</td>
<td><input type=\"text\" name=\"telephone\" size=\"27\"
value=\"htmlentities($row[telephone])\"> Inc. dialing codes
</td>
</tr>";
?>
It simply shows the input value as "htmlentities(0123456789)" in the form? What have I done wrong please?
try using
value=\"" . htmlentities($row[telephone]) . "\"
there. Currently, your string simply contains the htmlentities string and splices the variable in. You need to get out the string, call the function and put it's result in place, as above.
You can't call a function in the middle of a string. You need to get the return value from the function call and then include that in the string.
However...
<tr>
<td align="right">
<label for="telephone">Telephone:</label>
</td>
<td>
<input type="text"
name="telephone"
id="telephone"
size="27"
value="<?php
echo htmlentities($row[telephone]);
?>">
Inc. dialing codes
</td>
</tr>
... would be cleaner.
As would getting rid of the deprecated presentational markup and use of tables for layout.
This will work:
<?php
echo " <tr>
<td align=\"right\">Telephone :</td>
<td><input type=\"text\" name=\"telephone\" size=\"27\" value=\"".htmlentities($row[telephone])."\"> Inc. dialing codes</td>
</tr>";
?>
BTW, I also corrected some very strange syntax you have going on here, like where you concatenate the constant "Telephone", which really should be inside the string. These kinds of details are important and will break your code easily.
Also, I suggest using single quotes, instead of double, around a string like this so that you don't have to escape all of the double quotes inside the string.
@workmad3: that won't work as he's doing PHP.
<?php echo '<tr>
<td align="right">' . Telephone . ' :</td>
<td><input type="text" name="telephone" size="27" value="' . htmlentities($row[telephone]) . '" /> Inc. dialing codes</td>
</tr>';
if you're just looking for making-your-output-safe-in-hml; You should use htmlspecialchars() instead, since its 'only' an telephone number.
htmlspecialchars($row[telephone], ENT_QUOTES);
htmlentities() is a bit slower and not as good with multibyte characters. But I'm guessing you're not getting to those problems just jet.
If you want to combine a large section of HTML and PHP variables there are two things you can do.
One, use a HEREDOC construction.
$txt = <<<HERETEXT
Put your HTML here.
HERETEXT;
echo $txt;
Second, use a first class variable to name a function, then use that in the HEREDOC.
$he = 'htmlentities';
$txt = <<<HERETEXT
{$he($string, ENT_QUOTES, 'UTF-8')}
HERETEXT;
echo $txt;
However, HTML should not be handled in very large chunks, owing to the increase risk of nasty errors. Also, you might repeat yourself needlessly.
First of all, don't echo your HTML in a string. Separate code from markup.
<tr>
<td align="right">Telephone :</td>
<td><input type="text" name="telephone" size="27"
value="<?php echo htmlentities($row['telephone']); ?>"> Inc. dialing codes</td>
</tr>
