Page 1 of 1
Re: Display problem using htmlentities() function
Posted: Fri Aug 12, 2011 7:29 am
by phazorRise
magic quotes are turned on in your php.ini. Either turn them off or use-
Why is the output not the same of the input when using htmlentities()
htmlentities() does it's job successfully. Slashes are added when form is submitted by php runtime. htmlentities is not designed to remove slashes.
Re: Display problem using htmlentities() function
Posted: Fri Aug 12, 2011 12:20 pm
by social_experiment
Use htmlentities with the ENT_QUOTES flag : htmlentities($value, ENT_QUOTES). This will convert both single and double quotation marks.
Re: Display problem using htmlentities() function
Posted: Fri Aug 12, 2011 3:09 pm
by social_experiment
1skazi wrote:I think no flags of htmlentities() are needed to use to display user input because it is not essential to convert any quotation mark ( either single or double ) to output user's exact input. Only needed to convert HTML tags into entities.
Double and single quotes are characters with html safe equivalents, the primary function of htmlentities is to convert any character that has an html safe equivalent to said equivalent: < to < or > to > etc.
Re: Display problem using htmlentities() function
Posted: Tue Aug 16, 2011 2:46 pm
by phazorRise
as stated by social experiment, use ENT_QUOTES.
It's good practice to convert both single and double quotes while cleaning user input.
Re: Display problem using htmlentities() function
Posted: Tue Aug 16, 2011 2:54 pm
by phphelpme
Thats very good advice phazerrise,
I will personally be taking that on board.
Best wishes
Re: Display problem using htmlentities() function
Posted: Tue Aug 16, 2011 3:52 pm
by social_experiment
1skazi wrote:I think no flags of htmlentities() are needed to use to display user input because it is not essential to convert any quotation mark ( either single or double ) to output user's exact input.
Correct, i looked at htmlentities() and by default " is converted to " which is what you want but you can still use ' to create a cross-side-script attack which makes converting anything that might help a malicious user a good thing

Remember that the magic quotes option is deprecated (as of PHP 5.3.0) and though it works on the server you use now, it might not in the future.