remove htmlspecialchars?

Question

Do i use htmlspecialchars on $_GET['search'] on page2? Wouldn't i have to remove the htmlspecialchars from $_GET['search'] on page3 before i add mysql_real_escape_string to the variable? If so.. how do i remove htmlspecialchars?

page1

 $searchterm = "test"; //users search term
echo "<a href='page2?seach=test'>test</test>";

page2

$var = htmlspecialchars($_GET['search']);
<form action='page3' method='post'><input type='text' name='test' value='$var' /><input type='submit' value='submit'/></form>

page3

$search = mysql_real_escape_string($_POST['test']);
//insert into mysql database

score 2 · Accepted Answer · edited May 23 '17 at 12:04

2

Do i use htmlspecialchars on $_GET['search'] on page2?

You use htmlspecialchars when you have some text and are about to output it as HTML.

That is what you are doing in your second example, so yes, you would.

Wouldn't i have to remove the htmlspecialchars from $_GET['search'] on page3

No. The HTML is parsed by the browser to produce a text value.

(This also means that browsers do not submit HTML-safe data, so when you take the data out of the database then you would use htmlspecialchars before outputting it to an HTML document).

before i add mysql_real_escape_string to the variable

Don't use mysql_real_escape_string, use prepared statements and parameterized queries.

edited May 23 '17 at 12:04

Community

1
1

answered Jul 02 '12 at 11:25

Quentin

914,110
126
1,211
1,335

ok... so if i were to output $_GET['search'] as HTML on page3 i would have to use htmlspecialchars again? – user892134 Jul 02 '12 at 11:28
Yes. It is text data, so you convert it to HTML before outputting it to an HTML document. – Quentin Jul 02 '12 at 11:32

remove htmlspecialchars?

1 Answers1