-1

I have a user form where i give the user the possibility to enter a text in a textarea and to change the text later.

Here is my example for the HTML textarea:

<textarea class="form-control" rows="4" name="answer_text" type="text">
<?php echo strip_tags(nl2br(htmlspecialchars($answers['answer_text']))); ?>
</textarea>
  • Text Input: "This is text".
  • Text Output (echo): &quot;This is text&quot;.
  • Desired / Expected output: "This is text".

To avoid <br> in the echo i use: strip_tags() To show line breaks i use: nl2br() For security reasons i use htmlspecialchars()

How ever, if the user uses quotation marks (" or "") in his text i get &quot; in my text echo. I can solve this by removing htmlspecialchars() but i think its important to use it here. Is there any chance to get the correct output means the quotation marks shown instead of &quot;?

EDIT:
I was using two times htmlspecialchars(). Once during getting the users input value by $_POST = htmlspecialchars($value) to send it to the table and as second during the HTML echo as shown above.

As explained by @Cbroe the problem occurred because the data got encoded twice. Initial it " became &quote; first - and then, during the second encoding, the & of that, got turned into &amp;.

Right way is in my case that i do not use htmlspecialchars() during SQL INSERT or UPDATE (i am Using PDO prepared statements) and to only use htmlspecialchars() during the HTML echo depending on the situation.

Mischa Milivoje Bakic
  • 25
  • 6
  • why do you think you need htmlspecialchars ? –  Feb 24 '21 at 09:44
  • May be i missunderstood the function but it is needed to avoid a user can bring some code into my data base (SQL Injection). The text was inserted by using PHP PDO Query. – Mischa Milivoje Bakic Feb 24 '21 at 09:47
  • You could also prepare your data via PDO instead – GlennM Feb 24 '21 at 09:55
  • Yes, you most definitely have misunderstood. Databases do not talk HTML, so do not need things to be HTML escaped, or tag stripped. They need **SQL** escaping - or, much better, separation of data from query using parameterized prepared queries. See https://stackoverflow.com/q/60174/157957 HTML escaping should be used when **displaying** data on the browser; it should happen **exactly once**, otherwise you'll end up with garbage like `&amp;amp;` where the same string has been escaped multiple times. – IMSoP Feb 24 '21 at 09:58
  • OK understood. To summarize it and please confirm me if i got it now: If i use prepared statements for INSERT/UPDATE and also later for SELECT there is no need to use on some point htmlspecialchars(). – Mischa Milivoje Bakic Feb 24 '21 at 10:16
  • 2
    Of course there is a point for using htmlspecialchars, when you are actually creating HTML output - which you are doing, in the code you have shown. Imagine what would happen, if the _text_ I entered into this form, was `foobar baz`, what would your resulting HTML code look like then, if you did _not_ apply any form of escaping? – CBroe Feb 24 '21 at 10:17
  • _“Is there any chance to get the correct output means the quotation marks shown instead of "?”_ - have you actually _read_ the manual for `htmlspecialchars` …? Doesn’t sound like it, so I suggest you go and do that now. How you can influence whether quotes are converted to HTML entities or not, is explained in there in sufficient detail! – CBroe Feb 24 '21 at 10:20
  • @CBroe sure i did but i recognized now that i have used on two positions `htmlspecialchars`. I have it already in my `INSERT`/`UPDATE` query where i get the `$_POST` values from the user. I will leave it there and will remove it from the echo so i am fine. – Mischa Milivoje Bakic Feb 24 '21 at 13:16
  • 1
    No, that is not “fine”, that is exactly the wrong way around. Using it in the database insert portion was simply wrong to begin with. – CBroe Feb 24 '21 at 13:17
  • Well i understand where are you coming from. It because to "clear" the echo or "clear" whats displayed. Absolutely understood. But is it making a difference at the and technically? – Mischa Milivoje Bakic Feb 24 '21 at 13:23
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/229160/discussion-between-mischa-milivoje-bakic-and-cbroe). – Mischa Milivoje Bakic Feb 24 '21 at 13:25

1 Answers1

-1

Try to use htmlentities() instead of htmlspecialchars(). Like this:

<textarea class="form-control" rows="4" name="answer_text" type="text">
<?php echo strip_tags(nl2br(htmlentities($answers['answer_text']))); ?>
</textarea>
Bashar Jahjah
  • 1
  • 3