when to use htmlspecialchars() function?

S

4

30

Hi I was wondering when is the appropriate place to use htmlspecialchars(). Is it before inserting data to database or when retrieving them from the database?

Stanfield answered 3/2, 2011 at 3:12 Comment(0)

L

35

You should only call this method when echoing the data into HTML.

Don't store escaped HTML in your database; it will just make queries more annoying.
The database should store your actual data, not its HTML representation.

Lanta answered 3/2, 2011 at 3:14 Comment(4)

Thank you. But when I try to store PHP tags into database "<?php and ?>" I would not be able to do that unless I use htmlspecialchars() beforehand. – Stanfield 3/2, 2011 at 3:20

@Stanfield don't store php in the db, that's never a good idea. – Scarface 3/2, 2011 at 3:26

I agree but they will be part of bbcode when inserting a post. – Stanfield 3/2, 2011 at 3:27

I don't see a reason why there's php in your bb code ;) but if you want to store it for some reason, then htmlentities() should be done on the value before storing it in db . – Crus 3/2, 2011 at 3:31

S

21

You use htmlspecialchars EVERY time you output content within HTML, so it is interperted as content and not HTML.

If you allow content to be treated as HTML, you have just opened the door to bugs at a minimum, and total XSS hacks at worst.

Southwick answered 3/2, 2011 at 3:15 Comment(0)

C

4

Save the exact thing that the user enters into the database. then when displaying it to public, use htmlspecialchars(), so that it offers some xss protection.

Crus answered 3/2, 2011 at 3:20 Comment(1)

But he is asking WHY to do so ?? You didnt provide reason in your answer. Please consider editing it. – Bamboo 12/11, 2015 at 15:19

S

2

Guide - How to use htmlspecialchars() function in PHP

To begin you have to understand 1 simple concept: Render.

What Render is? Render is when the HTML transforms

<b>Hello</b>

to bold like this Hello. That's render.

So...When to use the htmlspecialchars() function?

Wherever you want to render HTML contents. For example, if you are using JQuery and you do this:

$("#YourDiv").html("<b>Hello</b>");

The div contents will be Hello. It rendered the text into HTML.

If you want to display the message in this way (was wrote by user):

<b>Hello</b>

you have to put:

$("#YourDiv").text("<b>Hello</b>");

In that way the Hello will never be rendered.

If you want to load the message (as wrote by user) into a textbox, textarea, etc... You have to put:

<input type="text" class="Texbox1" value="">

<script>
$(".Textbox1").val("<b>Hello</b>");
</script>

That will display

 <b>Hello</b>

Inside the Textbox without problems.

Conclusion:

What ever data the user input into your forms, etc...Save the data as normally. Do not use any function. If user sent 12345 save as it is. Do not filter nothing. You only have to filter when you are going to display the data in the page to the users. YOU, ONLY YOU decide if you want to render or not what the user wrote. *Remember that.

Regards!

Strangulate answered 9/9, 2017 at 4:53 Comment(0)

Recommended topics

Hot tags