8 {{ upvoteCount | shortNum }}
8 {{ upvoteCount | shortNum }}

When exactly to use htmlspecialchars in php?

by mpchekuri
6 replies
What exactly is the use of htmlspecialchars in php and when to use that while developing a web site. Is it to be use before storing data to data base or after retrieving from the database.
#htmlspecialchars #php
  • Profile picture of the author HJdev
    You should only call this method when echoing the data into HTML.

    Don't store escaped HTML in your database; it will just make queries more annoying.
    The database should store your actual data, not its HTML representation.

    Source: php - when to use htmlspecialchars() function? - Stack Overflow
    {{ DiscussionBoard.errors[9909737].message }}
  • Profile picture of the author TheDevonSEOCo
    See: http://php.net/htmlspecialchars should be added before storing to the db.

    The purpose of htmlspecialchars is to avoid MySQLinjection.
    This is to add security for your database.

    I hope this answers your query.

    If you have further questions, please visit my page and message me.

    Thanks!
    {{ DiscussionBoard.errors[9915507].message }}
  • Profile picture of the author jeffreysloe
    From my understanding of PHP, there's a difference between htmlspecialchars and an SQL Injection. Even though they are both PHP functions, they are both used for different purposes.

    htmlspecialchars, a string function, converts all special characters to html code, for example < is converted to &lt; and > (less-than sign) is converted to &gt; (greater-than sign).

    mysql_real_escape_string, a MySQL function, takes a string that is going to be used in a MySQL query and returns the same string with all SQL Injection attempts safely escaped.
    Signature

    I have been on the Internet since 1999. I'm here to share what I have learned about online marketing, web design and SEO strategies.

    {{ DiscussionBoard.errors[9917177].message }}
    • Profile picture of the author mpchekuri
      @jeffreysloe Hi! Thanks for the reply. You mean htmlspecialchars is to be used before delivering data to the browser?
      Originally Posted by jeffreysloe View Post

      From my understanding of PHP, there's a difference between htmlspecialchars and an SQL Injection. Even though they are both PHP functions, they are both used for different purposes.

      htmlspecialchars, a string function, converts all special characters to html code, for example < is converted to &lt; and > (less-than sign) is converted to &gt; (greater-than sign).

      mysql_real_escape_string, a MySQL function, takes a string that is going to be used in a MySQL query and returns the same string with all SQL Injection attempts safely escaped.
      {{ DiscussionBoard.errors[9917854].message }}
      • Profile picture of the author kaufenpreis
        Banned
        In a properly set up data flow, though, this shouldn't be a possibility at all, except if there is data incoming from the user or a 3rd party service that could or could not already contain HTML encoded characters. (Not that I haven't built a few improperly set up data flows in my career. But that's why I know why it's so important they're clean and well defined. :-)
        {{ DiscussionBoard.errors[9918270].message }}
  • Profile picture of the author tophyips
    When HTML validation from W3C is a priority then this htmlspecialchars function will help you much. Any anchor links without converting by htmlspecialchars will be complained.
    Signature
    Mapping System - Our Project | Project Map - Our Blog | Marketing Strategy - Our Group
    {{ DiscussionBoard.errors[9918527].message }}

Trending Topics