[SOLVED] htmlentities() and $_POST

[Omzy]

I POST the following as a hidden variable in my first form:

 

echo '<input type="hidden" name="username" value="'.htmlentities($_POST['username']).'"/>';

 

This takes you to the second form, which has the following:

 

echo '<input type="hidden" name="username" value="'.$_POST['username'].'"/>';

 

I assume it would carry forward the exact value that has been POSTed. I tested this using a string with an 'ampersand' (&) and in the first form it works as expected, by converting '&' into '&'.

 

However in my second form it seems to convert it back to '&'. Is this the default behaviour/do I have to re-convert it using htmlentities() in my second form, or have I missed something out?

[Daniel0]

It doesn't change the value, it returns a new value. Few of the functions have what you call a side effect.

 

Edit: I misread your topic, but you still have to do it each time. It doesn't mean that the value will be &, but it has to be like that in the HTML source in order to be valid. The posted value will still be &.

[Omzy]

But that's what I don't understand - in the source the value is "&" - that is the posted value, i.e whatever is in the source should be passed forward, not what gets displayed on screen!

[Daniel0]

No. & represents the character &. It has to be escaped in the HTML source because you can't just have an ampersand. That character has a special meaning in itself. Same with other characters like "greater than" or "lower than" and other characters.

[Omzy]

Yeah I understand that, but what I'm saying is why does PHP need to convert it back to '&' - why can't it just leave it as it is!

[Daniel0]

It doesn't convert anything back. It IS an ampersand. & in the source means & in "reality" -- whether you post it or display it on the screen.