PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
1skazi wrote:I think no flags of htmlentities() are needed to use to display user input because it is not essential to convert any quotation mark ( either single or double ) to output user's exact input. Only needed to convert HTML tags into entities.
Double and single quotes are characters with html safe equivalents, the primary function of htmlentities is to convert any character that has an html safe equivalent to said equivalent: < to < or > to > etc.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
1skazi wrote:I think no flags of htmlentities() are needed to use to display user input because it is not essential to convert any quotation mark ( either single or double ) to output user's exact input.
Correct, i looked at htmlentities() and by default " is converted to " which is what you want but you can still use ' to create a cross-side-script attack which makes converting anything that might help a malicious user a good thing Remember that the magic quotes option is deprecated (as of PHP 5.3.0) and though it works on the server you use now, it might not in the future.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering