Please Enlighten Me With The Use Of URLENCODE & HTMLENTITIES

[beer]

Hi, I need some enlightenment with the commands urlencode($variable) and htmlentities($variable)

 

Here's what I know. If you have this in your URL:

 

  Quote

page.php?name=jason&id=23

 

Result: name: jason id: 23

 

What if the name of jason is actually jason& Or for example, it's a company?

 

  Quote

page.php?name=jason&&id=23

In other words, what we really need is the value jason& - we use URLENCODE

 

Usage: urlencode($variable);

 

So that jason& is the actual name (including the ampersand: &) Result: name: jason& id: 23 - success!

 

But what if you have a form with 100 fields? Do you really need to use URLENCODE for all of these fields just so to include ASCII character values like % # * etc... in your url Do you use these in your forms?

 

Similar situation with: HTMLENTITIES

 

  Quote

edit_student.php?name=fred

 

Usage: htmlentities($value);

 

Reason? If the actual name of fred is <click me> or again if it's a company, what will appear in your browser or if you're editing a CMS website, is the name: <click me> - success!

 

BUT if you DID NOT use HTMLENTITIES, Result: name: click me - the tags were striped, why?

 

Reason: the browser thought that you have HTML TAGS so it processed it, therefore, we use HTMLENTITES to say to our browsers, "Hey you know those HTML TAGS < > I used inside click me? Well, they aren't really HTML TAGS so pls. include them." In effect, you won't get hacked in your website even if someone put a malicious code in your GET, POST or COOKIE, or Database like: <javascript>evilcode</javascript> simply because your browser won't follow the HTML TAGS and just show them, so now, does anyone use this function?

 

If yes, what if you have 100 fields where this situation can come up, or if you're editing a CMS website, Do you REALLY need to put HTMLENTITIES to all of them, just to protect your site from being HACKED Or to be SAFE?

 

That's all. Thanks for reading.