/    Sign up×
Community /Pin to ProfileBookmark

Why htmlEntities Being Used Here in Php Form ?

Copy linkTweet thisAlerts:
Nov 15.2019

Hi,

I found this php code on a tutorial. Registration/Signup page php.
It goes something like this:

[code]
<form action=”” method=”post”>
<div>
<?php if ($id != ”) { ?>
<input type=”hidden” name=”id” value=”<?php echo $id; ?>” />
<p>ID: <?php echo $id; ?></p>
<?php } ?>

<strong>First Name: *</strong> <input type=”text” name=”firstname”
value=”<?php echo $first; ?>”/><br/>
<strong>Last Name: *</strong> <input type=”text” name=”lastname”
value=”<?php echo $last; ?>”/>
<p>* required</p>
<input type=”submit” name=”submit” value=”Submit” />
</div>
</form>
</body>
</html>

<?php
$firstname = htmlentities($_POST[‘firstname’], ENT_QUOTES);
$lastname = htmlentities($_POST[‘lastname’], ENT_QUOTES);
?>
[/code]

Q1. Notice the last 2 lines.
Why the htmlentities being used here ?

Q2. Shall I keep it and add another line to add filter ? Like this:

[code]
$firstname = htmlentities($_POST[‘firstname’], ENT_QUOTES);
$firstname = filter_var($firstname, FILTER_SANITIZE_STRING);

$lastname = htmlentities($_POST[‘lastame’], ENT_QUOTES);
$lastname = filter_var($lastname, FILTER_SANITIZE_STRING);
[/code]

Or, should I just settle for:

[code]
$firstname = filter_var($firstname, FILTER_SANITIZE_STRING);
$lastname = filter_var($lastname, FILTER_SANITIZE_STRING);
[/code]

And forget the htmlentities line ?

to post a comment

4 Comments(s)

Copy linkTweet thisAlerts:
@NogDogNov 15.2019 — Generally speaking, I would only use htmlentities() if and when I'm actually outputting to HTML. If in this case it is being used to somehow sanitize or otherwise massage the inputs for, say, storage in a DB, I would not suggest it. That actually effectively pollutes the data and makes it more difficult to search or otherwise match within the DB; or, if outputting as JSON or XML for an API, you would then have HTML character entities in those values, which you probably won't want.
Copy linkTweet thisAlerts:
@cootheadNov 15.2019 — Hi there developer_web,

bearing in mind that I am not a PHP expert, I do know

that ``htmlentities()`` is required for security purposes.

>"_Whenever you allow your users to submit text to your website,

>you need to be careful that you don't leave any security holes

>open for malicious users to exploit. If you are ever going to

>allow user submitted text to be visible by the public you should

>consider using the htmlentities function to prevent them from

>running html code and scripts that may be harmful to your visitors._"

**Source:-**

http://tizag.com/phpT/php-htmlentities.php

_coothead_
Copy linkTweet thisAlerts:
@developer_webauthorNov 26.2019 — @NogDog#1610901

Thanks NogDog!

Sorry for the late reply. Haven't been visiting this forum lately.

Ok. I got your advice.

Just ditched this:
<i>
</i>$firstname = htmlentities($_POST['firstname'], ENT_QUOTES);
$firstname = filter_var($firstname, FILTER_SANITIZE_STRING);


<i>
</i>$firstname = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);


Thanks.

You may close this thread now.
×

Success!

Help @developer_web spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 4.26,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...