[Webinar] Learn how to a build a cloud-first strategyRegister Now


Why and when to use htmlentities and htmlspecialchars

Posted on 2014-08-19
Medium Priority
Last Modified: 2014-08-19
Dear experts,

I know what htmlentites and htmlspecialchars do as in converting <, >, &, etc... into &lt, &gt etc..

I wish to know when to use these functions and shall I store conveted values such as &lt, &gt etc. into database?

Question by:Kinderly Wade
  • 2
LVL 29

Assisted Solution

by:Göran Andersson
Göran Andersson earned 800 total points
ID: 40271219
You should HTML encode bascially any text that you put in the HTML code, like text content in an element and values for attributes. Example:

<div class="<?php echo htmlspecialchars($divClass) ?>"><?php echo htmlspecialchars($divContent)?></div>

Open in new window

This applies of course to string that you don't have full control over yourself. If know that the string certainly can't contain anything that needs to be encoded, you naturally don't have to encode it.

Normally you would not store the text HTML encoded in the database, but rather encode it when you have fetched it from the database and want to display it in the page. HTML encoded text takes up more space in the database, and by HTML encoding it you would designate the data for being displayed in HTML. If you for example want to do a text search in the data, that becomes difficult or inefficient if it has HTML entities in it.
LVL 111

Expert Comment

by:Ray Paseur
ID: 40271224
Do not store the converted values in the database.  Store the originals.

Use these functions whenever your script creates output from user input.  Typically this would be in the View component of the MVC design pattern.  The idea is to make stray and unwanted HTML and JavaScript into something that is safe for the client browsers.  If you do not do this, the client browser will run JavaScript when you send the JavaScript, and that may include doing some rather nasty things to the clients.

Author Comment

by:Kinderly Wade
ID: 40271265
Hi experts,

If I don't store the converted value into database, what can I do to prevent a sql injection? I am trying to convert characters in away that can be safely stored into database with sql injection prevention. Thanks.
LVL 111

Accepted Solution

Ray Paseur earned 1200 total points
ID: 40271364
I think you're confusing SQL injection with the output-related issues associated with sending evil JavaScript to the browser.  SQL injection may occur when your script uses unfiltered external data in a query string.  But rather than have me repeat it all, here is a link to an authoritative source -- required reading if you are going to create a web site that faces the public!

See also: http://php.net/manual/en/security.php

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
Suggested Courses
Course of the Month20 days, 10 hours left to enroll

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question