Is there a need to use html_entity_decode?

Posted on 2006-04-09
Medium Priority
Last Modified: 2012-05-05
For a text field where I want to allow apostrophe's (single quotes) and basic html like a bold tag. I am filtering the input field, stripping the data and using addslahes() if required.

When it comes to updating this field - I would use stripslashes and htmlspecialchars to convert the quotes and <> to html entitie as in stripslashes(htmlspecialchars($data_value,ENT_QUOTES))

I can see the slashes have been stripped and entities used - example:
   "do quote's work? new <b>test</b>" - becomes
   "do quote&#039;s work?\nnew&lt;b&gt;test&lt;/b&gt;"

The content in the input field <textarea> looks correct - no unusual characters
  do quote's work? new test -- where test is in bold

When the form is posted the incoming value does not contain entities but just the characters. The quote is a ' and the &lt; is a < 

It would appear I do not need to use html_entities_decode on this data before saving to revert it back. I would need to ensure I save the data as it appears and not with the HTML entity values.
I would want to search on quote's and not quote&#039;s

I ask because there are a number of comments in the online html manual about using a un-convert entity function or html_entity_decode(). I would think this is only needed if the data was not being displayed and posted back or was in a hidden field and somehow the entity value were still retained.

Anyway - interested to see if I am missing something.

Question by:Bl248

Accepted Solution

Vallenwood earned 1000 total points
ID: 16414760
You aren't missing anything. I was curious about this myself a while back and ran some tests. You should run some tests too just to convince yourself, but yeah where there are html special characters in the HTML CODE of a form field, they are in fact submitted as their real entities. Whatever page receives the posted information does in fact receive a "<" and not a "&lt;" (for example).

However, if you TYPE html entities into a form field, in an actual browser, they are submitted exactly as typed--typing "&lt;" does in fact submit "&lt;" -- things TYPED into a form field by an actual user are taken literally. But things pre-filled into the underlying HTML code as the form field's value is *rendered* into HTML and thus the browser itself is doing the html_entity_decode for you, just like it does for everything else in the code. So when it submits it submits as the decoded entity--the real thing.

So worry not!

Author Comment

ID: 16416805
Thanks - sometimes you just need to talk these things out.  This confirms then that I really do not want to add the entity_decode step. If I use these functions an application where I want to allow users to enter actual code snippets then I want the entered entity codes to be retained so that if I output the saved content in <pre> oir <xmp> tags then, they are displayed as entered.

I'm sure there are special applications where they need to do the entity_decode then but it's not the standard apps that I write need.


Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month14 days, 13 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question