Where can I use / htmlspecialchars() ?

  1. When do we add info to the database?
  2. When we withdraw from the database?

For example, a user entered <div>some text</div> , should I process it by htmlspecialchars() and only then add it to the database?

In what form should I store information in the database?

And one more question - if I have a text in the database, but it is in the following format

 <div><span>something</span><a href="example.com">example.com</a></div>

If you use htmlspecialchars() on this text, it is displayed as in the html editor (including tags). How can htmlspecialchars() be used in this case?

  • 2
    It is better to add it for output from the database ... When adding text, it is better to leave it original. For the reason that it can be a piece of code, for example, if it is a programming forum or something else like that. Therefore, we save the original in the database, and output with htmlspecialchars () if necessary. In my opinion it is right. The loss of productivity is not so big there, fragments entered by users in forms are usually not voluminous. - IntegralAL

3 answers 3

htmlspecialchars() used to prevent the insertion of unwanted HTML code into a page, for example, from a commenting form or feedback, by replacing characters such as "<", ">", "&" and so on with their HTML equivalents <> & so on Ie, if you store your HTML-code in the database (the code in which you are sure, you do not need to process it).

When adding information to the database, use the function more efficiently, since you change the line only once when inserting it, and then you will output the already processed to the site. Although, of course, you can pass an unprocessed line through the output through htmlspecialchars (), but for each output of the information, you get a function call (a small but still loss of performance).

  • And if I'm not sure about the code, how to use this function? - User999
  • Are you unsure of your code or someone else? Is there a fundamental difference? I would not advise anyone to trust someone else's code anyway. If you use something like the admin panel on your site, then to add information to the site using forms, it is better to use specialized f-and alternative syntax (something like BBCode, for example), and not to trust pure HTML from your users. Ie htmlspecialchars () is not exactly what you need to perform such tasks. - MDJHD
  • one
    Very unfortunate approach. Not always what is inserted into the database, then displayed in the html page. Screening should be applied before using the data. And screening can be different - for html - one, for inserting as a GET-parameter - another, in the regular season - the third, etc. - tutankhamun

Alternatively, you can use the strip_tags function and simply remove html tags from the incoming data

  • one
    This is not an option, since strip_tags () does not prevent XSS attacks. - User999
  • Did not know about some of the intricacies of the work of this function, excuse me. Now drove this topic with screening / conversion. The essence of the comments on the same stackoverflow, if you work with a database, simply use mysqli_real_escape_string (although some use both functions), if you display the code on the page - use htmlspecialchars. - andreyqin
  • This is an option for extremely limited applications and it is not a complete replacement for htmlspecialchars() . Generally breaking input is not always good. - tutankhamun

This function should be used when checking user submitted data. It is better not to allow users to use constructions with html tags for security. But if you want it like this, then check incoming data with regular data, for example, excluding such tags as script, etc. Your pages from the database can not be run through htmlspecialchars, then the page will be displayed correctly.