Jump to content

Recommended Posts

I don't really understand what htmlentities() does and when to use it?!

 

The manual says this...

<?php
$str = "A 'quote' is <b>bold</b>";

// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);

// Outputs: A &#039;quote&#039; is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>

 

 

1.) Isn't there a way to print this...

$str = "A 'quote' is <b>bold</b>";

 

...as this...

A 'quote' is <b>bold</b>

 

That is, WYSIWYG.

 

2.) When and why would you want this displayed...

A 'quote' is <b>bold</b>

 

I am trying to make my code more secure, and I was told to use something like this on all code that comes from the User and needs to be output, but I'm a little lost here...

echo '	<div class="userInfo">
			<a href="#" class="username">
				<strong>' . nl2br(htmlentities($username)) . '</strong>
			</a>';

 

Debbie

 

Link to comment
https://forums.phpfreaks.com/topic/258025-understanding-htmlentities/
Share on other sites

Turning tags into entities stops them from being treated as tags by the browser.  That's important if you don't want a malicious user to post HTML or JavaScript that would be accessed every time the posted data is viewed.

 

Try running

 

<script type="javascript">alert("Hello World!");</script>

 

Through the function and echo the result.

1.) Isn't there a way to print this...

$str = "A 'quote' is <b>bold</b>";

 

...as this...

A 'quote' is <b>bold</b>

 

That is pretty much what it is for.  In order to render <b> as literally '<b>' rather than it being seen as a bold tag, you have to use < and > in place of the < and > signs.  That is what htmlentities is for, it will convert those characters to their entity values.  It will convert more than just < and >, but in all cases it should be like a WYSIWYG conversion because the browser will render the entity as whatever the original character was.

 

If for some reason your seeing '<' and '>' on your page, your likely applying htmlentities to your value twice.

 

 

1.) Isn't there a way to print this...

$str = "A 'quote' is <b>bold</b>";

 

...as this...

A 'quote' is <b>bold</b>

 

That is pretty much what it is for.  In order to render <b> as literally '<b>' rather than it being seen as a bold tag, you have to use < and > in place of the < and > signs.  That is what htmlentities is for, it will convert those characters to their entity values.  It will convert more than just < and >, but in all cases it should be like a WYSIWYG conversion because the browser will render the entity as whatever the original character was.

 

If for some reason your seeing '<' and '>' on your page, your likely applying htmlentities to your value twice.

 

No, I'm just going off of what the PHP Manual is saying here...

http://www.php.net/manual/en/function.htmlentities.php

 

 

(Which is why I don't always RTFM for my critics on PHPFreaks...)  ;)

 

 

Debbie

 

(Which is why I don't always RTFM for my critics on PHPFreaks...)  ;)

 

You should always rtfm.  If you don't understand something then you ask.

 

http://linode.aoeex.com/dd.php - Threw that together to show you how htmlentities works.  Enter something in the text box, submit and you can see the results of calling the function.

 

 

Are you seeing the < and > codes on your page, rather than < or >?

 

(Which is why I don't always RTFM for my critics on PHPFreaks...)  ;)

 

You should always rtfm.

 

I usually do.

 

 

If you don't understand something then you ask.

 

That's why we are talking!!

 

 

http://linode.aoeex.com/dd.php - Threw that together to show you how htmlentities works.  Enter something in the text box, submit and you can see the results of calling the function.

 

Are you seeing the < and > codes on your page, rather than < or >?

 

The problem with the people who post on the PHP Manual site is that they often have poor English and communication skills.

 

<?php
$str = "A 'quote' is <b>bold</b>";
echo htmlentities($str);

// Outputs: A 'quote' is <b>bold</b>

 

What this should say is that the above code outputs the following HTML Source Code (versus implying it outputs the above to the screen)...

 

This does a better job of explaining things...

http://www.tizag.com/phpT/php-htmlentities.php

 

 

Nice website you created, kicken!

 

 

Debbie

 

So in this example, should I use htmlentities in BOTH the line that echos things to the screen after processing the form AND on the line of code that creates a "Sticky Form"??

 

 

<?php

if (isset($_POST['submit'])){
//save comment do the database
}

?>
<html>
<head></head>
<body>
  <form method="post" action="">
    <?php if (isset($_POST['preview'])): ?>
<div class="comment">
  <?php //echo $_POST['comment']; ?>
  <?php  echo nl2br(htmlentities($_POST['comment'])); ?>
</div>
     <?php endif; ?>

     <h2>Comment</h2>
<!--
     <textarea name="comment"><?php if (isset($_POST['comment'])) echo htmlentities($_POST['comment']); ?></textarea>
-->
     <textarea name="comment"><?php if (isset($_POST['comment'])) echo ($_POST['comment']); ?></textarea>
     <input type="submit" name="submit" value="Submit Comment">
     <input type="submit" name="preview" value="Preview Comment">
  </form>
</body>
</html>

 

 

As the code stands now, the second line of code doesn't seem to cause any problems with htmlentities...

     <textarea name="comment"><?php if (isset($_POST['comment'])) echo ($_POST['comment']); ?></textarea>

 

Comments?

 

 

Debbie

 

 

So in this example, should I use htmlentities in BOTH the line that echos things to the screen after processing the form AND on the line of code that creates a "Sticky Form"??

 

Yes.  You use it any time you output the string to your web page.

 

What this should say is that the above code outputs the following HTML Source Code (versus implying it outputs the above to the screen)...

 

There's no reason to specifically say it outputs HTML Source code.  That fact is implied by what the function does as well as it's name.  As we mentioned in one of your other threads, htmlentities is a function you use to protect against XSS by making it so that people cannot enter their own HTML code on your site.  This function is specifically for manipulating HTML source code.  If for instance you were putting the info into some other place (eg, the database or a PDF file) you would not use this function because your target output is not html.

 

What htmlentities returns is a new string, with certain characters replaced with character entity codes.  These codes are only understood when you view that resulting string through a browser which renders the HTML.  If you just view it as plain text (such as if you view-source or output to a console) then of course what you will see is the code, not the character it represents, as there would be nothing to do that translation.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.