20

I have always been confused with URL/HTML encoding/escaping. I am using PHP, so I want to clear some things up.

Can I say that I should always use

  • urlencode: for individual query string parts

      $url = 'http://test.com?param1=' . urlencode('some data') . '&param2=' . urlencode('something else');

  • htmlentities: for escaping special characters like <> so that if will be rendered properly by the browser

Would there be any other places I might use each function? I am not good at all these escaping stuff and am always confused by them.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Jiew Meng
  • 84,767
  • 185
  • 495
  • 805

3 Answers3

34

First off, you shouldn't be using htmlentities() around 99% of the time. Instead, you should use htmlspecialchars() for escaping text for use inside XML and HTML documents.

htmlentities are only useful for displaying characters that the native character set you're using can't display (it is useful if your pages are in ASCII, but you have some UTF-8 characters you would like to display). Instead, just make the whole page UTF-8 (it's not hard), and be done with it.

As far as urlencode(), you hit the nail on the head.

So, to recap:

  • Inside HTML:

    <b><?php echo htmlspecialchars($string, ENT_QUOTES, "UTF-8"); ?></b>

  • Inside of a URL:

    $url = '?foo=' . urlencode('bar');
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
ircmaxell
  • 163,128
  • 34
  • 264
  • 314
19

That's about right. Although - htmlspecialchars is fine, as long as you get your charsets straight. Which you should do anyway. So I tend to use that, so I would find out early if I had messed it up.

Also note that if you put a URL into an HTML context (say - in the href of an a-tag), you need to escape that. So you'll often see something like:

echo "<a href='" . htmlspecialchars("?foo=" . urlencode($foo)) . "'>clicky</a>"
Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
troelskn
  • 115,121
  • 27
  • 131
  • 155
  • 1
    Great answer. This is an example of how to escape for a context within another context properly. It is important to note that even though urlencode will never output any special html chars to cause any problems, it doesn't hurt to escape the whole html attribute content. – Phil Oct 14 '16 at 21:27
0

If you are building a query string for your URL, then it's best to just use http_build_query() instead of manually encoding each part.

$params = [
    'param1' => 'some data',
    'param2' => 'something else',
];

echo '<a href="https://test.com?'.htmlspecialchars(http_build_query($params)).'">Link</a>';

All output in HTML should be HTML encoded too, despite there being a very tiny chance your URL, which is properly encoded, will break the HTML.

Dharman
  • 30,962
  • 25
  • 85
  • 135