Re: use htmlentities
Posted: Thu Jul 26, 2007 6:18 pm
I just felt that I should comment here about htmlentities being used. It's not so much of an issue of security, but that you must use htmlspecialchars() or htmlentities() whenever you echo any data back into an HTML field anyway, unless you filter the data (and don't allow quotation marks). A lot of people seem to ignore this fact, so I thought it'd be good for me to point it out.yacahuma wrote:I think for security you should use htmlentities
Code: Select all
<input type="text" id="myval" value="<?=htmlentities($dbval)?>" />
Also, the short echo tag (<?=) should be <?php echo. The short tags will be deprecated come PHP 6.