burnedfaceless
asked on
html special chars
Does it alter the variable
i.e.
$variable = ($_POST['vairable']);
then
htmlspecialchars($variable
Does that protect against html.
So any further use of that variable would be protected right?
Or does it need to be used for output?
i.e.
$variable = ($_POST['vairable']);
then
htmlspecialchars($variable
Does that protect against html.
So any further use of that variable would be protected right?
Or does it need to be used for output?
While what RayPaseur said is the original intention of htmlspecialchars(), it is extremely useful for protecting your database from malicious data.
I simply run every input through it to change all the special characters to their html code equivalents BEFORE I put the inputs into a database. This is a very easy way to protect against malicious html.
The only downside is that each special character takes up to 5 bytes to store in a database field, but the upside is that NO malicious data ever gets into your database, so you don't have to worry about using it in any fashion as output.
By using htmlspecialchars once on input, you don't have to use it many other times on output, and you can't forget to use it on an output and thereby expose your data to misuse.
I simply run every input through it to change all the special characters to their html code equivalents BEFORE I put the inputs into a database. This is a very easy way to protect against malicious html.
The only downside is that each special character takes up to 5 bytes to store in a database field, but the upside is that NO malicious data ever gets into your database, so you don't have to worry about using it in any fashion as output.
By using htmlspecialchars once on input, you don't have to use it many other times on output, and you can't forget to use it on an output and thereby expose your data to misuse.
ASKER
Ray I purchased the book you recommended two years ago. That is the basis of this question, it [htmlspecialchars] has been used only in writing (echo).
It's effect seems less visible on the post method or I am doing something wrong.
Please answer the question. That is what this website is for.
I actually bought both the books you recommended. I'm hitting them hard.
Ed. Note: I did answer the question, right at the top, but you're not far enough along in your understanding of PHP to recognize the answer! And that's why I recommend that you get some knowledge foundation in PHP. It's one thing to buy a book; it's very much another to actually read it and work through the code examples. Two months of deliberate and structured study will save you from two years of trial-and-error, missed deadlines, failed applications and general frustration! And at the end of the two months you'll be more than two years ahead. I teach PHP for a living and I see it all the time in the contrast between my students and the novice community in the many PHP forums on the WWW. The ones who concentrate their learning leap ahead, while the ones who just copy code samples without any deeper understanding of the design and thought processes get left behind. So don't get left behind -- try to understand, not just copy.
It's effect seems less visible on the post method or I am doing something wrong.
Please answer the question. That is what this website is for.
I actually bought both the books you recommended. I'm hitting them hard.
Ed. Note: I did answer the question, right at the top, but you're not far enough along in your understanding of PHP to recognize the answer! And that's why I recommend that you get some knowledge foundation in PHP. It's one thing to buy a book; it's very much another to actually read it and work through the code examples. Two months of deliberate and structured study will save you from two years of trial-and-error, missed deadlines, failed applications and general frustration! And at the end of the two months you'll be more than two years ahead. I teach PHP for a living and I see it all the time in the contrast between my students and the novice community in the many PHP forums on the WWW. The ones who concentrate their learning leap ahead, while the ones who just copy code samples without any deeper understanding of the design and thought processes get left behind. So don't get left behind -- try to understand, not just copy.
ASKER
By using htmlspecialchars once on input, you don't have to use it many other times on output, and you can't forget to use it on an output and thereby expose your data to misuse.
Is this what the above code does?
Yes, it is exactly what it does. It changes the input special characters to their html code equivalents, so they can never be used for anything but safe output.
ASKER
I am going to start working on AJAX when the book comes in. It does what I need.
They're all really the same. Even the syntax thought process is exactly the same.
Interactions are the hard part but...focus on that...
They're all really the same. Even the syntax thought process is exactly the same.
Interactions are the hard part but...focus on that...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for answering my question
To anyone reading this question in the future, I recommend against using the htmlspecialchars() function in the manner described here:
https://www.experts-exchange.com/questions/28309425/html-special-chars.html?anchorAnswerId=39694362#a39694362
https://www.experts-exchange.com/questions/28309425/html-special-chars.html?anchorAnswerId=39694436#a39694436
If you're contemplating doing something like that, contact your lead programmer or the other programmers on your team to be sure you're all on the same page about the standards. This function mungs the data. If you do that before you write it into the data base, and the other programmers naturally assume that they need to use htmlspecialchars() on the output side, which is the way it was intended, then your data is going to be passed through htmlspecialchars() twice. You probably do not want to do that.
You probably also want to read the user-contributed notes here, before you assume that this function will be compatible with the character set encoding of your data base. PHP has changed how this function works.
http://www.php.net/manual/en/function.htmlspecialchars.php
https://www.experts-exchange.com/questions/28309425/html-special-chars.html?anchorAnswerId=39694362#a39694362
https://www.experts-exchange.com/questions/28309425/html-special-chars.html?anchorAnswerId=39694436#a39694436
If you're contemplating doing something like that, contact your lead programmer or the other programmers on your team to be sure you're all on the same page about the standards. This function mungs the data. If you do that before you write it into the data base, and the other programmers naturally assume that they need to use htmlspecialchars() on the output side, which is the way it was intended, then your data is going to be passed through htmlspecialchars() twice. You probably do not want to do that.
You probably also want to read the user-contributed notes here, before you assume that this function will be compatible with the character set encoding of your data base. PHP has changed how this function works.
http://www.php.net/manual/en/function.htmlspecialchars.php
ASKER
Ray thanks for your input.
You obviously know way more about this than me, and most people on this website. So is my use acceptable? If you're trying to teach me something I'm missing it.
I'm really looking forward to the computer science classes.
I've noticed that song meanings emails me replies to my comments that have been run through htmlspecialchars. Of course they're not malicious but you can notice small alterations.
You obviously know way more about this than me, and most people on this website. So is my use acceptable? If you're trying to teach me something I'm missing it.
I'm really looking forward to the computer science classes.
I've noticed that song meanings emails me replies to my comments that have been run through htmlspecialchars. Of course they're not malicious but you can notice small alterations.
ASKER
P.s. I have to work on the android tablets today. You really are a genius who saved me hours of work.
http://www.amazon.com/PHP-MySQL-Web-Development-Edition/dp/0321833899
HTMLSpecialChars() is used on the output side of the processing before you echo any data to the browser. In a well-designed application it would never be used on any data that is stored, just on the output.
http://php.net/manual/en/function.htmlspecialchars.php
You do not "protect against HTML" -- the point of the function is to prevent external data from injecting malicious javascript or similar into your web site in a way that would cause the web site to send the malicious script to a client machine.