Is there a need to use html_entity_decode?

Posted on 2006-04-09
Last Modified: 2012-05-05
For a text field where I want to allow apostrophe's (single quotes) and basic html like a bold tag. I am filtering the input field, stripping the data and using addslahes() if required.

When it comes to updating this field - I would use stripslashes and htmlspecialchars to convert the quotes and <> to html entitie as in stripslashes(htmlspecialchars($data_value,ENT_QUOTES))

I can see the slashes have been stripped and entities used - example:
   "do quote's work? new <b>test</b>" - becomes
   "do quote&#039;s work?\nnew&lt;b&gt;test&lt;/b&gt;"

The content in the input field <textarea> looks correct - no unusual characters
  do quote's work? new test -- where test is in bold

When the form is posted the incoming value does not contain entities but just the characters. The quote is a ' and the &lt; is a <

It would appear I do not need to use html_entities_decode on this data before saving to revert it back. I would need to ensure I save the data as it appears and not with the HTML entity values.
I would want to search on quote's and not quote&#039;s

I ask because there are a number of comments in the online html manual about using a un-convert entity function or html_entity_decode(). I would think this is only needed if the data was not being displayed and posted back or was in a hidden field and somehow the entity value were still retained.

Anyway - interested to see if I am missing something.

Question by:Bl248
    LVL 4

    Accepted Solution

    You aren't missing anything. I was curious about this myself a while back and ran some tests. You should run some tests too just to convince yourself, but yeah where there are html special characters in the HTML CODE of a form field, they are in fact submitted as their real entities. Whatever page receives the posted information does in fact receive a "<" and not a "&lt;" (for example).

    However, if you TYPE html entities into a form field, in an actual browser, they are submitted exactly as typed--typing "&lt;" does in fact submit "&lt;" -- things TYPED into a form field by an actual user are taken literally. But things pre-filled into the underlying HTML code as the form field's value is *rendered* into HTML and thus the browser itself is doing the html_entity_decode for you, just like it does for everything else in the code. So when it submits it submits as the decoded entity--the real thing.

    So worry not!

    Author Comment

    Thanks - sometimes you just need to talk these things out.  This confirms then that I really do not want to add the entity_decode step. If I use these functions an application where I want to allow users to enter actual code snippets then I want the entered entity codes to be retained so that if I output the saved content in <pre> oir <xmp> tags then, they are displayed as entered.

    I'm sure there are special applications where they need to do the entity_decode then but it's not the standard apps that I write need.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit ( and similar technologies have enjoyed wide adoption, making it possib…
    Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
    The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now