2

I know these:

  1. For HTML text : htmlentities() or htmlspecialchars()
    When outputting plain visible text within HTML para/div tags.

  2. For URL-encoded values : urlencode()
    When sending data to a function in PHP that expects URL encoded values.

I dont know this:

  1. For HTML form values : ??
    When outputting hidden data within HTML <input value="DATA"> tags.
Community
  • 1
  • 1
Robin Rodricks
  • 110,798
  • 141
  • 398
  • 607
  • A search for ['data sanitizing'](https://www.google.co.uk/search?q=data+sanitizing+php) will [answer](http://www.php.net/manual/en/filter.filters.sanitize.php) [this](http://stackoverflow.com/questions/5863508/php-sanitize-data) [question](http://net.tutsplus.com/tutorials/php/sanitize-and-validate-data-with-php-filters/). It's covered widely across the web. If those links don't help, your question needs more information to make it clearer. – naththedeveloper Feb 02 '14 at 14:32
  • 1) and 2) are both HTML, so `htmlspecialchars`. 3) doesn't make much sense to me. – deceze Feb 02 '14 at 14:46
  • There's no such thing as POST-like format. If you're sending strings via POST, you gotta make sure that the string is in the format you're expecting it to be in, if you're receiving numbers, you gotta make sure that you're only receiving numbers (either integers or floats), so on and so forth. POST-like data doesn't exist. – ILikeTacos Feb 02 '14 at 14:51

1 Answers1

4

Attribute values are HTML text. Use htmlspecialchars.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335