PHP htmlspecialchars encode

Question

I must mention first of all. Im newbie in php, so pls understand me.

I have a difficult with that form..

    <form action="something.php" method="get">
    <input type="text" name="something">
    <input type="submit" value="send">

In "something.php" i have that line of code:

   <?php
   $something = $_GET["something"];
   ?>

When i write in html form, <a href="#">asdqw</a> for example, it's show me exactly that code...

Understand me.. Im newbie on that, and i want to learn..

I want to encode that, if somebody write that characters < , > , $ , ^ etc, and to display something else, cuz i dont want to affect me.

I want to mention, i use and database. What i write in that form, will be saved in database, and will be showed in another page, but and in url bar like: "http://some-site.com/page.php?something=something" . I hope to understand me, and forgive me for my bad language. Im romanian, and i dont want to use translator.

`$` and `^` are not html metacharacters anyways. they cannot "affect" you. — Marc B, Aug 19 '13 at 19:46
When you store to the database you don't want to store the encoded version, just use the escaping mechanisms of your database library. When you display the text you should use the escaping appropriate for the context you are displaying it in for example: `echo htmlspecialchars($row["data"]);` — Orangepill, Aug 19 '13 at 19:48
Note that `htmlspecialchars()` will encode only characters that match, well, special characters for HTML. Let's say, if you have the string `¡Saludos desde Concepción!`, it will make it look exactly the same. `htmlspecialchars()` only encodes `&` as `&`, `<` as `<` and `>` as `>` (also `"` as `"` if you define ENT_NOQUOTES and `'` as `'` if you define ENT_QUOTES). `htmlentities()`, on the other side, will transform your string into `¡Saludos desde Concepción!`, so all characters that have an HTML equivalent will be converted. — Alejandro Iván, Aug 19 '13 at 19:58

score 2 · Answer 1 · edited May 23 '17 at 12:05

2

Use htmlspecialchars():

$something = htmlspecialchars($_GET['something'], ENT_QUOTES | ENT_HTML5);

You should use this method for outputting data in a HTML context.
If you want to save the data into your database, you should rather use MySQLi and Prepared Statements or PDO.

Here is a very nice answer showing important information about edge cases of Prepared Statements/PDO and MySQLi::real_escape_string(): SQL injection that gets around mysql_real_escape_string()

edited May 23 '17 at 12:05

Community

1
1

answered Aug 19 '13 at 19:45

ComFreek

29,044
18
104
156

No, don't do this on input, but on output. And I recommend against using `MySQLi::real_escape_string`. – Marcel Korpel Aug 19 '13 at 19:54
1

@MarcelKorpel He *is* outputting the data in a link tag (see the question). Why do you recommend against using that method? I already recommended prepared statements. It's at least better than nothing. – ComFreek Aug 19 '13 at 19:57
`htmlspecialchars` should be enough. And there *are* edge cases where `real_escape_string` is not sufficient, can't find them now, though. – Marcel Korpel Aug 20 '13 at 09:35
@MarcelKorpel I agree with *htmlspecialchars()*. The edge cases get introduced by either setting a different client encoding than the MySQL server's character set or by misusing the function (see the first post in the linked question). I've added a link to the answer. – ComFreek Aug 20 '13 at 10:13

PHP htmlspecialchars encode

1 Answers1