doubledee Posted March 1, 2012 Share Posted March 1, 2012 I don't really understand what htmlentities() does and when to use it?! The manual says this... <?php $str = "A 'quote' is <b>bold</b>"; // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> echo htmlentities($str, ENT_QUOTES); ?> 1.) Isn't there a way to print this... $str = "A 'quote' is <b>bold</b>"; ...as this... A 'quote' is <b>bold</b> That is, WYSIWYG. 2.) When and why would you want this displayed... A 'quote' is <b>bold</b> I am trying to make my code more secure, and I was told to use something like this on all code that comes from the User and needs to be output, but I'm a little lost here... echo ' <div class="userInfo"> <a href="#" class="username"> <strong>' . nl2br(htmlentities($username)) . '</strong> </a>'; Debbie Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted March 1, 2012 Share Posted March 1, 2012 Turning tags into entities stops them from being treated as tags by the browser. That's important if you don't want a malicious user to post HTML or JavaScript that would be accessed every time the posted data is viewed. Try running <script type="javascript">alert("Hello World!");</script> Through the function and echo the result. Quote Link to comment Share on other sites More sharing options...
kicken Posted March 1, 2012 Share Posted March 1, 2012 1.) Isn't there a way to print this... $str = "A 'quote' is <b>bold</b>"; ...as this... A 'quote' is <b>bold</b> That is pretty much what it is for. In order to render <b> as literally '<b>' rather than it being seen as a bold tag, you have to use < and > in place of the < and > signs. That is what htmlentities is for, it will convert those characters to their entity values. It will convert more than just < and >, but in all cases it should be like a WYSIWYG conversion because the browser will render the entity as whatever the original character was. If for some reason your seeing '<' and '>' on your page, your likely applying htmlentities to your value twice. Quote Link to comment Share on other sites More sharing options...
doubledee Posted March 1, 2012 Author Share Posted March 1, 2012 1.) Isn't there a way to print this... $str = "A 'quote' is <b>bold</b>"; ...as this... A 'quote' is <b>bold</b> That is pretty much what it is for. In order to render <b> as literally '<b>' rather than it being seen as a bold tag, you have to use < and > in place of the < and > signs. That is what htmlentities is for, it will convert those characters to their entity values. It will convert more than just < and >, but in all cases it should be like a WYSIWYG conversion because the browser will render the entity as whatever the original character was. If for some reason your seeing '<' and '>' on your page, your likely applying htmlentities to your value twice. No, I'm just going off of what the PHP Manual is saying here... http://www.php.net/manual/en/function.htmlentities.php (Which is why I don't always RTFM for my critics on PHPFreaks...) Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted March 1, 2012 Share Posted March 1, 2012 (Which is why I don't always RTFM for my critics on PHPFreaks...) You should always rtfm. If you don't understand something then you ask. http://linode.aoeex.com/dd.php - Threw that together to show you how htmlentities works. Enter something in the text box, submit and you can see the results of calling the function. Are you seeing the < and > codes on your page, rather than < or >? Quote Link to comment Share on other sites More sharing options...
doubledee Posted March 1, 2012 Author Share Posted March 1, 2012 (Which is why I don't always RTFM for my critics on PHPFreaks...) You should always rtfm. I usually do. If you don't understand something then you ask. That's why we are talking!! http://linode.aoeex.com/dd.php - Threw that together to show you how htmlentities works. Enter something in the text box, submit and you can see the results of calling the function. Are you seeing the < and > codes on your page, rather than < or >? The problem with the people who post on the PHP Manual site is that they often have poor English and communication skills. <?php $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); // Outputs: A 'quote' is <b>bold</b> What this should say is that the above code outputs the following HTML Source Code (versus implying it outputs the above to the screen)... This does a better job of explaining things... http://www.tizag.com/phpT/php-htmlentities.php Nice website you created, kicken! Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted March 1, 2012 Author Share Posted March 1, 2012 So in this example, should I use htmlentities in BOTH the line that echos things to the screen after processing the form AND on the line of code that creates a "Sticky Form"?? <?php if (isset($_POST['submit'])){ //save comment do the database } ?> <html> <head></head> <body> <form method="post" action=""> <?php if (isset($_POST['preview'])): ?> <div class="comment"> <?php //echo $_POST['comment']; ?> <?php echo nl2br(htmlentities($_POST['comment'])); ?> </div> <?php endif; ?> <h2>Comment</h2> <!-- <textarea name="comment"><?php if (isset($_POST['comment'])) echo htmlentities($_POST['comment']); ?></textarea> --> <textarea name="comment"><?php if (isset($_POST['comment'])) echo ($_POST['comment']); ?></textarea> <input type="submit" name="submit" value="Submit Comment"> <input type="submit" name="preview" value="Preview Comment"> </form> </body> </html> As the code stands now, the second line of code doesn't seem to cause any problems with htmlentities... <textarea name="comment"><?php if (isset($_POST['comment'])) echo ($_POST['comment']); ?></textarea> Comments? Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted March 1, 2012 Share Posted March 1, 2012 So in this example, should I use htmlentities in BOTH the line that echos things to the screen after processing the form AND on the line of code that creates a "Sticky Form"?? Yes. You use it any time you output the string to your web page. What this should say is that the above code outputs the following HTML Source Code (versus implying it outputs the above to the screen)... There's no reason to specifically say it outputs HTML Source code. That fact is implied by what the function does as well as it's name. As we mentioned in one of your other threads, htmlentities is a function you use to protect against XSS by making it so that people cannot enter their own HTML code on your site. This function is specifically for manipulating HTML source code. If for instance you were putting the info into some other place (eg, the database or a PDF file) you would not use this function because your target output is not html. What htmlentities returns is a new string, with certain characters replaced with character entity codes. These codes are only understood when you view that resulting string through a browser which renders the HTML. If you just view it as plain text (such as if you view-source or output to a console) then of course what you will see is the code, not the character it represents, as there would be nothing to do that translation. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.