strip slashes
That's right so far.
This is complicated by the fact that the output goes into a form input
And this is a different issue: You use single quotes for the HTML element attributes, so you cannot use them in the attribute value like that*. Attribute values always should be escaped with htmlspecialchars
(you will have to set the ENT_QUOTES
flag in this case)
*) your current HTML (with stripslashes
applied) looks like this:
<input value='O'Reilly'>
The Reilly'
part is invalid and thus ignored, this leaves value='O'