Convert Quotes Using htmlspecialchars AND Keep HTML Tags in PHP

Question

I have a hidden input tag that I want its value to have quotes in it. How would I escape the quotes so that I can use it for the value?

HTML

<input type="hidden" name="edited_terms" 
value="<p>\"Please enter any additional terms and conditions here.\"</p>" />

PHP

$terms = mysql_real_escape_string($terms);
echo '<input type="hidden" name="edited_terms" value="'.$terms.'" />';

I would like to use both single and double quotes, however setting it to value='<p>\\"Please enter any additional terms and conditions here.\\"</p>' won't let me use single quotes.

The function htmlspecialchars let's me accomplish this but it will get rid of HTML tags. For example, <p> will be converted to <p> . I want to be able to keep the <p> tags and convert the quotes to " .

Answer 1

Try this Daniel:

<input name="edited_terms" 
value="<p>&quot;Please enter any additional terms and conditions here.&quot;</p>" />

Update PHP:

$terms ="<p>&quot;Please enter any additional terms and conditions here.&quot;</p>";           
echo '<input type="hidden" name="edited_terms" value="'.$terms.'" />';

Answer 2

First, HTML is not MySQL. So MySQL functions won't help here.

Second, use htmlspecialchars on the HTML attribute value:

$terms = htmlspecialchars($terms);
echo '<input type="hidden" name="edited_terms" value="'.$terms.'" />';

For attribute values in single quotes, use htmlspecialchars with ENT_QUOTES flag.