Use htmlentities:

使用htmlentities：

<input value="<?php echo htmlentities($value);?>">

I suppose your "text box" is an HTML <input>element?

我想你的“文本框”是一个 HTML<input>元素？

If so, you are displaying it using something like this:

如果是这样，您将使用以下内容显示它：

echo '<input name="..." value="' . $yourValue . '" />';

If it's the case, you need to escape the HTML that's contained in your variable, with htmlspecialchars:

如果是这种情况，您需要转义包含在变量中的 HTML，使用htmlspecialchars：

echo '<input name="..." value="' . htmlspecialchars($yourValue) . '" />';

Note that you might have to add a couple of parameters, especially to specify the encoding your are using.

请注意，您可能需要添加几个参数，特别是要指定您正在使用的编码。

This way, considering $yourValuehas been initialized like this :

这样，考虑$yourValue已像这样初始化：

$yourValue = '5 " inches';

You'll get from this generated HTML:

你将从这个生成的 HTML 中得到：

<input name="..." value="5 " inches" />

To that one, which works much better:

对于那个，效果更好：

<input name="..." value="5 &quot; inches" />

For UTF-8 I went for htmlspecialchars($value, ENT_QUOTES, "UTF-8")which did the trick.

对于 UTF-8，我选择了htmlspecialchars($value, ENT_QUOTES, "UTF-8")它。

stack source

堆栈源

When using character set UTF-8, I use the code below to get I?t?rnati?nàliz?ti?n anddouble (or single) quotes right:

使用字符集 UTF-8 时，我使用下面的代码来正确获取 I?t?rnati?nàliz?ti?n和双（或单）引号：

<input type="text" name="title" value="<?php echo htmlentities(stripslashes(utf8_decode($title))); ?>" />

PS: This is useful after someone submitted the form, but when the input is not validated.

PS：这在有人提交表单后很有用，但是当输入未验证时。

I've found if you have double quotes in a variable in JavaScript (from Ajax/database whatever) and you want to put it in a field - if you build the whole field/form HTML content and then swap that into a div using innerHTML, the double quotes in the value will cause problems. I was doing this and I couldn't figure a way around it by escaping either.

我发现如果你在 JavaScript 的变量中有双引号（来自 Ajax/数据库）并且你想把它放在一个字段中 - 如果你构建整个字段/表单 HTML 内容，然后使用 innerHTML 将它交换到一个 div ，值中的双引号会引起问题。我正在这样做，我也无法通过逃避来解决它。

You should build the HTML content with the field and swap it in first, and then do a document.getElementById('myfieldid').value = thevalue; instead and it works fine.

您应该使用该字段构建 HTML 内容并首先将其交换，然后执行 document.getElementById('myfieldid').value = thevalue; 相反，它工作正常。

Personally, I use this trick:

就个人而言，我使用这个技巧：

$s = str_replace("& amp ;", "&", (htmlentities(stripslashes($s), ENT_QUOTES, 'UTF-8')));

I needed to apply htmlspecialcars()to the query result array. I found a useful solution from here(see the comment by sean).

我需要申请htmlspecialcars()到查询结果数组。我从这里找到了一个有用的解决方案（请参阅肖恩的评论）。

// Create a cleaning function
function _clean(&$value) {
  $value = htmlspecialchars($value);
  //$value = htmlspecialchars($value, ENT_QUOTES); // Alternative
}

// Fetch the data from DB somehow (sqlQ is a custom function)
$q = "...";
$r = $d->sqlQ($q);
$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

//...call the function recursively (not always necessary) to the resultset row
array_walk_recursive($row, '_clean');

It does quite a bit unnecessary work if you fetch only a few text columns, but at least you don't need to write the htmlspecialchars()function to the HTML form multiple times.

如果您只获取几个文本列，它会做很多不必要的工作，但至少您不需要将该htmlspecialchars()函数多次写入HTML 表单。

Try this

尝试这个

 echo '<input name="..." value="' . htmlspecialchars(stripslashes($yourValue)) . '" />';

or

或者

<input name="..." value="<?php echo htmlspecialchars(stripslashes($value)); ?>">

Good luck ;)

祝你好运 ;）