[RESOLVED] htmlentities

**vbbit** · May 13th, 2007, 11:25 PM

I tried to learn the htmlentities,

PHP Code:


<?php

$str = "A 'quote' is <i>bold</i>";



// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

echo htmlentities($str);

echo "<p>";



// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

echo htmlentities($str, ENT_QUOTES);

?>

But all I got/output is

Code:

A 'quote' is <i>bold</i>
A 'quote' is <i>bold</i>

Iam using php5, is there anything I should enable?

**kows** · May 14th, 2007, 03:09 PM

using php 5.2.1 with mostly default php.ini settings, I did the following:

PHP Code:


<?php

  header("Content-type: text/plain");

  $str = "This is a '<strong>sentence</strong>' with some '<em>html</em>' contained \"<u>within</u>\" it";

  echo 'normal:' . "\t\t\t" . $str . "\n\n";

  echo 'htmlentities():' . "\t\t" . htmlentities($str, ENT_QUOTES) . "\n\n";

?>

and got this:

Code:

normal:			This is a '<strong>sentence</strong>' with some '<em>html</em>' contained "<u>within</u>" it

htmlentities():		This is a '&lt;strong&gt;sentence&lt;/strong&gt;' with some '&lt;em&gt;html&lt;/em&gt;' contained &quot;&lt;u&gt;within&lt;/u&gt;&quot; it

edit: crap, when I pasted it, it didn't show up right. run the script I posted above and you'll see. it uses the ASCII character codes ("#039;" with an ampersand before it) to replace the quotes instead of something like ". this is, however, the desired affect for this function.

**vbbit** · May 14th, 2007, 03:23 PM

Kows, I got this

vb Code:

normal:         This is a '<strong>sentence</strong>' with some '<em>html</em>' contained "<u>within</u>" it
 
htmlentities():     This is a '&lt;strong&gt;sentence&lt;/strong&gt;' with some '&lt;em&gt;html&lt;/em&gt;' contained &quot;&lt;u&gt;within&lt;/u&gt;&quot; it

It's terrible, not sure why.

**penagate** · May 14th, 2007, 03:24 PM

It looks like it is working. What's the issue?

**vbbit** · May 14th, 2007, 03:29 PM

So what exactly htmlentities does? I think that's the main issue that I don't get the whole thing with those marks.

**visualAd** · May 14th, 2007, 03:38 PM

Originally Posted by vbbit

I tried to learn the htmlentities,

PHP Code:


<?php

$str = "A 'quote' is <i>bold</i>";



// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

echo htmlentities($str);

echo "<p>";



// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

echo htmlentities($str, ENT_QUOTES);

?>

But all I got/output is

Code:

A 'quote' is <i>bold</i>
A 'quote' is <i>bold</i>

Iam using php5, is there anything I should enable?

Right click on the page and select "View Source"

**penagate** · May 14th, 2007, 03:39 PM

When in doubt, consult the documentation:
PHP: htmlentities - Manual

**kows** · May 14th, 2007, 03:39 PM

HTML entities converts all HTML-ish characters into characters that a browser will parse as, well, characters, rather than actually parsing the HTML.

it will convert a LESS THAN ("<") sign into < and a GREATER THAN (">") sign into >. It can replace single and double quotes, as well as some other special characters.

what did you think it did?

**vbbit** · May 14th, 2007, 03:42 PM

Oh man, I thought what it did was to convert the tags to html. Like this testing , the output from that htmlentities should be testing

I don't see any reasons to use htmlentities then, or is there?

**sunburnt** · May 14th, 2007, 03:46 PM

Originally Posted by vbbit

Oh man, I thought what it did was to convert the tags to html. Like this testing , the output from that htmlentities should be testing

I don't see any reasons to use htmlentities then, or is there?

You can use htmlentities to sanitize user input before you put it into a database query or display it on the web page. For example, If a malicious user enters something like:

Code:

HI I LIKE YOUR SITE
<meta http-equiv="refresh" content="2;url=http://myevilhomepage.com">

into a comment box on your webpage, and you do not modify the input before displaying it, the comment will be parsed by the webbrowser and cause it to redirect elsewhere. Wheras, if you use htmlentities() to sanitize the input, the actual code will be displayed in the browser and have no effect. -- Which is what VBForums does to HTML that you put into your post (so that you can see the html i pasted above!)

**penagate** · May 14th, 2007, 03:47 PM

htmlentities() is used when outputting data into an HTML document.

Take this forum as an example. This forum lets you type any characters you like into a post. It is then the responsibility of the forum software to ensure that what you have typed does not then mess up the layout of the entire page. It does this by running htmlentities() over the post contents when it is outputted.

As a matter of sheer principle, you should run it after retrieving data from the database, not before storing it. (Apart from, of course, situations where you're also caching the HTML in the database.)

**vbbit** · May 14th, 2007, 03:52 PM

OK just to clarify so from what you guys talking about is that, if a user type in the input box on my webpage:

testing

Then my insert query will insert that whole testing to my database, and therefore, when I print out the output the text in that row to the web browser, the user will see testing, correct? But on other hand, if I used htmlentities(testing), then will those #$@ signs saved to my database also? and will it print out those signs to the browser also?

**penagate** · May 14th, 2007, 03:56 PM

Yes - but, like I say, you should sanitise the data after retrieving it from the database and before outputting it to the page, not before inserting it into the database.

**kows** · May 14th, 2007, 03:56 PM

if you used htmlentities() and then inserted it into your database, the raw output from htmlentities() will be stored in your database ('<' for '<' and '>' for '>').

however, the browser will not show the raw output to the user (unless they're viewing the source), but rather will parse the special characters as readable characters. so, "<" changes to "<" and ">" changes to ">", for example. if you view the source, though, you will see the raw output that the database has stored.

make sense?

**vbbit** · May 14th, 2007, 07:49 PM

How to sanitise the data after retrieving it?

And now kows gets me confused. So in the database it stores '<' for '<' , then in the browser, the page will displays "<" instead of '<'? then the spammer is still able to redirect the page.

**kows** · May 15th, 2007, 02:35 AM

no. if the page is HTML (rather than plain text), a browser will parse ">" to show up as "<" to the end user only. if you view the source of the page (the raw output), it will still be '>'.

and uhh, you sanitize data by using htmlentities().. he meant you should do it when you're retrieving from the database, not when you're saving. so, you want to store it in the database as normal HTML, but use htmlentities() when actually displaying it on a page.

**vbbit** · May 16th, 2007, 01:14 AM

Hhaa.. finally I got it! whew! thanks guys

Thread: [RESOLVED] htmlentities

Thread Tools

Display

[RESOLVED] htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Re: htmlentities

Posting Permissions