does php mysql_fetch_array works with html input box?

Question

this is my entire PHP code:

<?php if(empty($_POST['selid']))
        {echo "no value selected";  }
        else 
        {
            $con = mysql_connect("localhost","root","");
            if(mysql_select_db("cdcol", $con))
                {
                    $sql= "SELECT * FROM products where Id = '$_POST[selid]'";

                    if($result=mysql_query($sql))
                    {   

                        echo "<form name=\"updaterow\" method=\"post\" action=\"dbtest.php\">";
                        while($row = mysql_fetch_array($result))
                        { 
                        echo "Id :<input type=\"text\" name=\"ppId\" value=".$row['Id']." READONLY></input></br>";
                        echo "Name :<input type=\"text\" name=\"pName\" value=".$row['Name']."></input></br>";
                        echo "Description :<input type=\"text\" name=\"pDesc\" value=".$row['Description']."></input></br>";
                        echo "Unit Price :<input type=\"text\" name=\"pUP\" value=".$row['UnitPrice']."></input></br>";
                        echo "<input type=\"hidden\" name=\"mode\" value=\"Update\"/>";

                        }
                        echo "<input type=\"submit\" value=\"Update\">";
                        echo "</form>";
                    }
                    else {echo "Query ERROR";}
                }
        }
?>

PROBLEM here is, ....if the value i am getting from database using mysql_fetch_array($result) is like:(say Description is:) "my product"

then; in input box it shows only "my" the word(or digit) after "SPACE"(ie blank space) doesn't get displayed? can input box like above can display the data with two or more words(separated by blank spaces)?

Answer 1

The html parser has no way of knowing that <input value=abc def...> means value=abc def. It has to parse it as two attributes, the attribute value with the value abc and the attribute def without a value.

You have to enclose the value in quotes, e.g. <input value="abc def" ...>
You also have to encode " as &quot; within the value. Otherwise the html parser will get confused again, since it has no way of knowing that the second " in value="abc"def" is not a delimeter but part of the content. You can use htmspecialchars() for this.

e.g.

while($row = mysql_fetch_array($result))
{
  printf('
    Id :<input type="text" name="ppId" value="%s" READONLY></input><br>
    Name :<input type="text" name="pName" value="%s"></input><br>
    Description :<input type="text" name="pDesc" value="%s"></input><br>
    Unit Price :<input type="text" name="pUP" value="%s"></input><br>";
    <input type="hidden" name="mode" value="Update"/>',
    htmlspecialchars($row['Id']),
    htmlspecialchars($row['Name']),
    htmlspecialchars($row['Description']),
    htmlspecialchars($row['UnitPrice'])
  );
}

Answer 2

echo "Unit Price :<input type=\"text\" name=\"pUP\" value=\"".$row['UnitPrice']."\"></input></br>";

You need to enclose value in quotes.