Why? htmlspecialchars()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
cc4digital
Forum Newbie
Posts: 9
Joined: Wed Nov 03, 2010 1:09 pm

Why? htmlspecialchars()

Post by cc4digital »

I have tried every conceivable way to make this function work. It getting old and I just don't understand what the problem can be?
my input is "<<<<>>>>". And after running the variable through htmlspecialchars() I still get "<<<<>>>>" Has this function been depreciated or what am I missing??? :?:
Here is my code:

Code: Select all

<?PHP
$myinput= "<<<<>>>>";
echo "this is my input: " . $myinput . "before the funciton";
echo "<br/><br/> this is my output after the function is run:" . check_input($myinput);
echo "<br/><br/> But if i run htmlspecialchars() on my input variable I get this: " . htmlspecialchars($myinput);

function check_input ($data)
{
     $data = htmlspecialchars($data);
     return $data;
}
?>

Thanks for your help.
gully_mi_seh
Forum Newbie
Posts: 14
Joined: Fri Mar 18, 2011 8:48 pm

Re: Why? htmlspecialchars()

Post by gully_mi_seh »

this function main purpose is to protect from basic html injection trough forms or other input. When you use it on a variable,it will neutralise its content and format it as a text that the browser will understand but not execute.I recommend you to use it each time you a taking data from visitors.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Why? htmlspecialchars()

Post by social_experiment »

cc4digital wrote:I have tried every conceivable way to make this function work. It getting old and I just don't understand what the problem can be?
htmlspecialchars() converts the html unsafe characters to html-safe characters. Your function is working, the point you are missing is that the browser is now displaying an html safe version of > and < (> and < respectively). The function (htmlspecialchars()) doesn't remove / eliminate special characters but converts them.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
cc4digital
Forum Newbie
Posts: 9
Joined: Wed Nov 03, 2010 1:09 pm

Re: Why? htmlspecialchars()

Post by cc4digital »

But when I echo the function it is still showing me >>> <<<<<, not &gt&gt&lt&lt. Why would that be?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Why? htmlspecialchars()

Post by superdezign »

It is >><<. The difference is that your browser displays > as > and < as <. It's easier to see the difference if you try using real input like <strong>Testing</strong>.

With htmlspecialchars, you will see:
<strong>Testing</strong>

Without it, you will see:
Testing

If you want to see the entity codes yourself, right-click the page and View Source. You'll see it there. If you want it to actually display the entity codes to you, then you need to run htmlspecialchars again.

Let's take the test string "<<>>" and run it through htmlspecialchars. echo htmlspecialchars('<<>>'); will output "<<>>" which will display in your browser as "<<>>".
Then, if you run it through again, echo htmlspecialchars('<<>>'); will output "&lt;&lt;&gt;&gt;" which will display in your browser as "<<>>".
So, echo htmlspecialchars(htmlspecialchars('<<>>')); will show "<<>>" in your browser.
Post Reply