MySQL value with apostrophe now showing up in textarea

I have inserted the following TEXT value into mysql..

$_POST['groupname'] = "Linda's Group";
$groupname = $addslashes($_POST['groupname'];

then retrieve it like this..

$groupname = $row['groupname'];

when I echo it it shows up correctly as "Linda's group"

but when I put it into..

e开发者_StackOverflow社区cho "<input name='groupname' type='hidden' value='$groupname' />";

it shows up as "Linda", only show text before the apostrophe

What am I doing wrong?

Whenever you want to send a string to the browser, use htmlspecialchars($string).

Replace that with:

echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname, ENT_QUOTES) . "' />";

... and remove the addslashes() call.

Also, make sure you always use mysql_real_escape_string($string) when inserting string values in a MySQL database.

you need to escape content before displaying it on a web page. your markup reads:

try: htmlspecialchars($dataToEscape, ENT_QUOTES, 'UTF-8' false)

without this you are vulnerable to XSS.
consider Linda'><script src='evil.js'></script>s Group this example:

<input name='groupname' type='hidden' value='Linda'><script src='evil.js'></script>s Group' />

You need to escape your single quote before you use it in your HTML. This is because your attribute values are surrounded by single quotes.

If you didn't escape the quote, the generated HTML is:

<input name='groupname' type='text' value='Linda's group' />

This is not valid. What you need is:

<input name='groupname' type='text' value='Linda&#039;s group' />

You can get that by calling htmlspecialchars:

echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname) . "' />";

This also prevents XSS attacks. Otherwise someone could enter '/><script type="text/javascript">alert("omg hax!")</script><br' for example, and you would get an alert on your page.