Page 1 of 1

Why? htmlspecialchars()

Posted: Sun Apr 24, 2011 1:15 am
by cc4digital
I have tried every conceivable way to make this function work. It getting old and I just don't understand what the problem can be?
my input is "<<<<>>>>". And after running the variable through htmlspecialchars() I still get "<<<<>>>>" Has this function been depreciated or what am I missing??? :?:
Here is my code:

Code: Select all

<?PHP
$myinput= "<<<<>>>>";
echo "this is my input: " . $myinput . "before the funciton";
echo "<br/><br/> this is my output after the function is run:" . check_input($myinput);
echo "<br/><br/> But if i run htmlspecialchars() on my input variable I get this: " . htmlspecialchars($myinput);

function check_input ($data)
{
     $data = htmlspecialchars($data);
     return $data;
}
?>

Thanks for your help.

Re: Why? htmlspecialchars()

Posted: Sun Apr 24, 2011 5:35 am
by gully_mi_seh
this function main purpose is to protect from basic html injection trough forms or other input. When you use it on a variable,it will neutralise its content and format it as a text that the browser will understand but not execute.I recommend you to use it each time you a taking data from visitors.

Re: Why? htmlspecialchars()

Posted: Sun Apr 24, 2011 11:25 am
by social_experiment
cc4digital wrote:I have tried every conceivable way to make this function work. It getting old and I just don't understand what the problem can be?
htmlspecialchars() converts the html unsafe characters to html-safe characters. Your function is working, the point you are missing is that the browser is now displaying an html safe version of > and < (> and < respectively). The function (htmlspecialchars()) doesn't remove / eliminate special characters but converts them.

Re: Why? htmlspecialchars()

Posted: Sun Apr 24, 2011 2:24 pm
by cc4digital
But when I echo the function it is still showing me >>> <<<<<, not &gt&gt&lt&lt. Why would that be?

Re: Why? htmlspecialchars()

Posted: Sun Apr 24, 2011 7:23 pm
by superdezign
It is >><<. The difference is that your browser displays > as > and < as <. It's easier to see the difference if you try using real input like <strong>Testing</strong>.

With htmlspecialchars, you will see:
<strong>Testing</strong>

Without it, you will see:
Testing

If you want to see the entity codes yourself, right-click the page and View Source. You'll see it there. If you want it to actually display the entity codes to you, then you need to run htmlspecialchars again.

Let's take the test string "<<>>" and run it through htmlspecialchars. echo htmlspecialchars('<<>>'); will output "<<>>" which will display in your browser as "<<>>".
Then, if you run it through again, echo htmlspecialchars('<<>>'); will output "&lt;&lt;&gt;&gt;" which will display in your browser as "<<>>".
So, echo htmlspecialchars(htmlspecialchars('<<>>')); will show "<<>>" in your browser.