[RESOLVED] htmlentities

[vbbit]

I tried to learn the htmlentities,

PHP Code:

<?php
$str = "A 'quote' is <i>bold</i>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);
echo "<p>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);
?>

But all I got/output is

Code:

A 'quote' is <i>bold</i>
A 'quote' is <i>bold</i>

Iam using php5, is there anything I should enable?

[kows]

using php 5.2.1 with mostly default php.ini settings, I did the following:

PHP Code:

<?php
  header("Content-type: text/plain");
  $str = "This is a '<strong>sentence</strong>' with some '<em>html</em>' contained \"<u>within</u>\" it";
  echo 'normal:' . "\t\t\t" . $str . "\n\n";
  echo 'htmlentities():' . "\t\t" . htmlentities($str, ENT_QUOTES) . "\n\n";
?>

and got this:

Code:

normal:			This is a '<strong>sentence</strong>' with some '<em>html</em>' contained "<u>within</u>" it

htmlentities():		This is a '&lt;strong&gt;sentence&lt;/strong&gt;' with some '&lt;em&gt;html&lt;/em&gt;' contained &quot;&lt;u&gt;within&lt;/u&gt;&quot; it

edit: crap, when I pasted it, it didn't show up right. run the script I posted above and you'll see. it uses the ASCII character codes ("#039;" with an ampersand before it) to replace the quotes instead of something like ". this is, however, the desired affect for this function.

[vbbit]

Kows, I got this

vb Code:

normal:         This is a '<strong>sentence</strong>' with some '<em>html</em>' contained "<u>within</u>" it
 
htmlentities():     This is a '&lt;strong&gt;sentence&lt;/strong&gt;' with some '&lt;em&gt;html&lt;/em&gt;' contained &quot;&lt;u&gt;within&lt;/u&gt;&quot; it

It's terrible, not sure why.

[penagate]

It looks like it is working. What's the issue?

[vbbit]

So what exactly htmlentities does? I think that's the main issue that I don't get the whole thing with those marks.

[visualAd]

I tried to learn the htmlentities,

PHP Code:

<?php
$str = "A 'quote' is <i>bold</i>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str);
echo "<p>";

// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;
echo htmlentities($str, ENT_QUOTES);
?>

But all I got/output is

Code:

A 'quote' is <i>bold</i>
A 'quote' is <i>bold</i>

Iam using php5, is there anything I should enable?

Right click on the page and select "View Source"

[penagate]

When in doubt, consult the documentation:
PHP: htmlentities - Manual

[kows]

HTML entities converts all HTML-ish characters into characters that a browser will parse as, well, characters, rather than actually parsing the HTML.

it will convert a LESS THAN ("<") sign into &lt; and a GREATER THAN (">") sign into &gt;. It can replace single and double quotes, as well as some other special characters.

what did you think it did?

[vbbit]

Oh man, I thought what it did was to convert the tags to html. Like this <b>testing</b> , the output from that htmlentities should be testing

I don't see any reasons to use htmlentities then, or is there?

[sunburnt]

Oh man, I thought what it did was to convert the tags to html. Like this <b>testing</b> , the output from that htmlentities should be testing

I don't see any reasons to use htmlentities then, or is there?

You can use htmlentities to sanitize user input before you put it into a database query or display it on the web page. For example, If a malicious user enters something like:

Code:

HI I LIKE YOUR SITE
<meta http-equiv="refresh" content="2;url=http://myevilhomepage.com">

into a comment box on your webpage, and you do not modify the input before displaying it, the comment will be parsed by the webbrowser and cause it to redirect elsewhere. Wheras, if you use htmlentities() to sanitize the input, the actual code will be displayed in the browser and have no effect. -- Which is what VBForums does to HTML that you put into your post (so that you can see the html i pasted above!)

[penagate]

htmlentities() is used when outputting data into an HTML document.

Take this forum as an example. This forum lets you type any characters you like into a post. It is then the responsibility of the forum software to ensure that what you have typed does not then mess up the layout of the entire page. It does this by running htmlentities() over the post contents when it is outputted.

As a matter of sheer principle, you should run it after retrieving data from the database, not before storing it. (Apart from, of course, situations where you're also caching the HTML in the database.)

[vbbit]

OK just to clarify so from what you guys talking about is that, if a user type in the input box on my webpage:

<b>testing</b>

Then my insert query will insert that whole <b>testing</b> to my database, and therefore, when I print out the output the text in that row to the web browser, the user will see testing, correct? But on other hand, if I used htmlentities(<b>testing</b>), then will those #$@ signs saved to my database also? and will it print out those signs to the browser also?

[penagate]

Yes - but, like I say, you should sanitise the data after retrieving it from the database and before outputting it to the page, not before inserting it into the database.

[kows]

if you used htmlentities() and then inserted it into your database, the raw output from htmlentities() will be stored in your database ('&lt;' for '<' and '&gt;' for '>').

however, the browser will not show the raw output to the user (unless they're viewing the source), but rather will parse the special characters as readable characters. so, "&lt;" changes to "<" and "&gt;" changes to ">", for example. if you view the source, though, you will see the raw output that the database has stored.

make sense?

[vbbit]

How to sanitise the data after retrieving it?

And now kows gets me confused. So in the database it stores '&lt;' for '<' , then in the browser, the page will displays "<" instead of '&lt;'? then the spammer is still able to redirect the page.

[kows]

no. if the page is HTML (rather than plain text), a browser will parse "&gt;" to show up as "<" to the end user only. if you view the source of the page (the raw output), it will still be '&gt;'.

and uhh, you sanitize data by using htmlentities().. he meant you should do it when you're retrieving from the database, not when you're saving. so, you want to store it in the database as normal HTML, but use htmlentities() when actually displaying it on a page.

[vbbit]

Hhaa.. finally I got it! whew! thanks guys