The input text field and textarea text field allow you to enter any characters. Problems can be only when writing to the database and when re-editing the data.
1.If you are using some modern extension, for example, PDO, you do not need to specifically screen anything, since you insert the sent text through placeholders, as is, with a string
<?php try { $pdo = new PDO( 'mysql:host=localhost;dbname=test', 'root', '', [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); $query = "INSERT INTO tbl VALUES (NULL, :name)"; $news = $pdo->prepare($query); $news->execute(['name' => $_POST['name']]); header("Location: ".$_SERVER['PHP_SELF']); } catch (PDOException $e) { echo "Ошибка выполнения запроса: " . $e->getMessage(); } ?> <!DOCTYPE html> <html lang="ru"> <head> <meta charset='utf-8'> </head> <body> <form> Имя: <input type="text" name="name" value=""><br /> <input type="submit" value="Записать"> </form> </body> </html>
2. There may be problems if you edit the text or substitute the text you just entered in the value
attribute of the text field or between the tags <textarea>
and </textarea>
. In this case, to avoid distortion, the text is passed through the htmlspecialchars()
function, which converts all interpreted characters into an HTML-safe form.
<!DOCTYPE html> <html lang="ru"> <head> <meta charset='utf-8'> </head> <body> <form> Имя: <input type="text" name="name" value="<?php echo htmlspecialchars($_POST['name'], ENT_QUOTES); ?>"><br /> <input type="submit" value="Записать"> </form> </body> </html>