PHP Build a Basic PHP Website Enhancing a Form Escaping Output

John Gianniny
John Gianniny
12,517 Points

How to employ Escape Output here...

I think I am way off on this one; please help.

views_listing_edit.php
<?php require_once("controllers_listing.php"); ?><html>
<body>

    <h1>Edit Listing</h1>

    <form method="post">
        <table>
            <tr>
                <th>
                    <label for="name">Name</label>
                </th>
                <td>
                    <input id="name" name="name" value="<?php echo htmlspecialchars($_POST['$listing_name']); ?>">
                </td>
            </tr>
            <tr>
                <th>
                    <label for="link">Link</label>
                </th>
                <td>
                    <input id="link" name="link" value="<?php echo htmlspecialchars($_POST['$listing_link']); ?>">
                </td>
            </tr>
            <tr>
                <th>
                    <label for="description">Description</label>
                </th>
                <td>
                    <textarea id="description" name="description"><?php echo htmlspecialchars($_POST['$listing_description']); ?></textarea>
                </td>
            </tr>    
        </table>
        <input type="submit" value="Save">
    </form>

</body>
</html>

1 Answer

You were mostly correct, the problem is that the variables you are escaping are coming from the required script at the top, not from the POST array

This:

<input id="name" name="name" value="<?php echo htmlspecialchars($_POST['$listing_name']); ?>">

Should become this:

<input id="name" name="name" value="<?php echo htmlspecialchars($listing_name); ?>">

once you've changed all 3 of these it should pass

John Gianniny
John Gianniny
12,517 Points

Thank you Conner! The explanation is really helpful as well.