Why and when to use htmlentities and htmlspecialchars

Posted on 2014-08-19
Last Modified: 2014-08-19
Dear experts,

I know what htmlentites and htmlspecialchars do as in converting <, >, &, etc... into &lt, &gt etc..

I wish to know when to use these functions and shall I store conveted values such as &lt, &gt etc. into database?

Question by:Kinderly Wade
    LVL 29

    Assisted Solution

    by:Göran Andersson
    You should HTML encode bascially any text that you put in the HTML code, like text content in an element and values for attributes. Example:

    <div class="<?php echo htmlspecialchars($divClass) ?>"><?php echo htmlspecialchars($divContent)?></div>

    Open in new window

    This applies of course to string that you don't have full control over yourself. If know that the string certainly can't contain anything that needs to be encoded, you naturally don't have to encode it.

    Normally you would not store the text HTML encoded in the database, but rather encode it when you have fetched it from the database and want to display it in the page. HTML encoded text takes up more space in the database, and by HTML encoding it you would designate the data for being displayed in HTML. If you for example want to do a text search in the data, that becomes difficult or inefficient if it has HTML entities in it.
    LVL 107

    Expert Comment

    by:Ray Paseur
    Do not store the converted values in the database.  Store the originals.

    Use these functions whenever your script creates output from user input.  Typically this would be in the View component of the MVC design pattern.  The idea is to make stray and unwanted HTML and JavaScript into something that is safe for the client browsers.  If you do not do this, the client browser will run JavaScript when you send the JavaScript, and that may include doing some rather nasty things to the clients.

    Author Comment

    by:Kinderly Wade
    Hi experts,

    If I don't store the converted value into database, what can I do to prevent a sql injection? I am trying to convert characters in away that can be safely stored into database with sql injection prevention. Thanks.
    LVL 107

    Accepted Solution

    I think you're confusing SQL injection with the output-related issues associated with sending evil JavaScript to the browser.  SQL injection may occur when your script uses unfiltered external data in a query string.  But rather than have me repeat it all, here is a link to an authoritative source -- required reading if you are going to create a web site that faces the public!

    See also:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
    This article describes how to create custom column layout styles for Bootstrap. The article uses 5 columns to illustrate the concept, but the principle can be extended to any number of columns.
    In this tutorial viewers will learn how to embed Flash content in a webpage using HTML5. Ensure your DOCTYPE declaration is set to HTML5: "<!DOCTYPE html>": Use the <object> tag to embed Flash content.: To specify that the object is Flash content, d…
    The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now