Is htmlentities() Or htmlspcialchars() Really Need Here ?

@developer_webDec 09.2020

Folks,

Can you tell me which one of these 5 examples to use ?

““ //Eg 1.A. //echo “<a href=”.htmlentities($page).$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>Final Page</a>”; //Eg 1.B. //echo ‘<a href=’.htmlentities($page).”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>Final Page</a>”; //Eg 2.A. //$link = “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>Final Page</a>”; //htmlentities($link); //echo $link; //Eg 2.B. $link = ‘<a href=’.”$page”.”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).’>Final Page</a>’; htmlentities($link); echo $link; //Eg 3. echo “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”;

““

It’s pagination section code. Need to use echo over printf here. Know how to securely echo with printf thanks to NogDog and so now need to securely output via echo.
Here is the context:

““ if($page > $total_pages) { $page = ‘search.php?’; $url_key_1 = ‘&tbl=’; $url_key_2 = ‘&col=’; $url_key_3 = ‘&page=’; $url_key_4 = ‘&search=’; $url_value_1 = $tbl; $url_value_2 = $col; $url_value_3 = $total_pages; $url_value_4 = $search; //Eg 1.A. //echo “<a href=”.htmlentities($page).$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>Final Page</a>”; //Eg 1.B. //echo ‘<a href=’.htmlentities($page).”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>Final Page</a>”; //Eg 2.A. //$link = “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>Final Page</a>”; //htmlentities($link); //echo $link; //Eg 2.B. //$link = ‘<a href=’.”$page”.”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).’>Final Page</a>’; //htmlentities($link); //echo $link; //Eg 3. echo “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>Final Page</a>”; } else { while($i <= $total_pages) { if($i == $page) { $page = ‘search.php?’; $url_key_1 = ‘&tbl=’; $url_key_2 = ‘&col=’; $url_key_3 = ‘&page=’; $url_key_4 = ‘&search=’; $url_value_1 = $tbl; $url_value_2 = $col; $url_value_3 = $i; $url_value_4 = $search; //Eg 1.A. //echo “<a href=”.htmlentities($page).$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; //Eg 1.B. //echo ‘<a href=’.htmlentities($page).”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>$url_value_3</a>”; //Eg 2.A. //$link = “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; //htmlentities($link); //echo $link; //Eg 2.B. //$link = ‘<a href=’.”$page”.”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>$url_value_3</a>”; //htmlentities($link); //echo $link; //Eg 3. echo “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; } else { $page = ‘search.php?’; $url_key_1 = ‘&tbl=’; $url_key_2 = ‘&col=’; $url_key_3 = ‘&page=’; $url_key_4 = ‘&search=’; $url_value_1 = $tbl; $url_value_2 = $col; $url_value_3 = $i; $url_value_4 = $search; //Eg 1.A. //echo “<a href=”.htmlentities($page).$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; //Eg 1.B. //echo ‘<a href=’.htmlentities($page).”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>$url_value_3</a>”; //Eg 2.A. //$link = “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; //htmlentities($link); //echo $link; //Eg 2.B. //$link = ‘<a href=’.”$page”.”$url_key_1″.urlencode($url_value_1).”$url_key_2″.urlencode($url_value_2).”$url_key_3″.INTVAL($url_value_3).”>$url_value_3</a>”; //htmlentities($link); //echo $link; //Eg 3. echo “<a href=”.$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).”>$url_value_3</a>”; } $i++; } }

““

Is htmlentities() or htmlspecialchars() really needed here ? I didn’t use them on “Eg 3” and I favoured that example. What’s your opinion ?

to post a comment

PHP

7 Comments(s) _↴

@developer_webauthorDec 09.2020 — #Shall I rid htmlentities() from this one too ?


 htmlentities($_SERVER['PHP_SELF'])

Context:


 //$total_pages = $_SESSION['total_pages']; 
 if($page>$total_pages) //Display FINAL PAGE link.
 {
 echo "Page: <a href='" .htmlentities($_SERVER['PHP_SELF']) .'?limit=' .urlencode($limit) .'&page=' .urlencode($total_pages) ."'><b>Final Page</b></a>";
 }
 else
 {
 echo "Page: ";
 
 $i = 1;
 while($i<=$total_pages)
 {
 if($i==$page) //Bold the 'Current page' Number.
 {
 echo "<a href='" .htmlentities($_SERVER['PHP_SELF']) .'?limit=' .urlencode($limit) .'&page=' .urlencode($i) ."'><b>$i </b></a>";
 }
 else
 {
 echo "<a href='" .htmlentities($_SERVER['PHP_SELF']) .'?limit=' .urlencode($limit) .'&page=' .urlencode($i) ."'>$i </a>";
 }
 $i++;
 }
 }

@developer_webauthorJan 05.2021 — #@NogDog

Care to respond so I can get going closing this thread ?

@developer_webauthorFeb 27.2021 — #Bump.

@developer_webauthorAug 07.2021 — #@NogDog

Can you confirm I should stick to my EG3 that I mentioned in my original post ? I believe all the other examples are unnecessarily using the htmlentities(). Even htmlspecialchars() I should not be using where I have used the htmlentities() in my 5 examples. What you say ?

@developer_webauthorAug 18.2021 — #@NogDog

I am told that, I actually favoured the correct one:

<i>
 </i>//Eg 3.
 echo "&lt;a href=".$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3)."&gt;$url_value_3&lt;/a&gt;";
 }

Do you mind confirming this ?

@romsgamesAug 18.2021 — #//Eg 3.

echo "<a href=".$page.$url_key_1.urlencode($url_value_1).$url_key_2.urlencode($url_value_2).$url_key_3.INTVAL($url_value_3).">$url_value_3</a>";

}

I dont know how to quote here so I just copied. I suppose that eg3 is ok.

At least that is what our developers used while working on [black version](https://romsplanet.com/roms/nintendo-ds/5585-pokemon-black-version)

but would be interesting to know which one was correct..

@developer_webauthorAug 18.2021 — #@sempervivum

How would you echo a user submitted link here ?

Also in #PHP _↴

Which form atts can I use with PHP?login problem-session varaibles under register global on isset multiple variables

Success!

Help @developer_web spread the word by sharing this article on Twitter...

Tweet This

Is htmlentities() Or htmlspcialchars() Really Need Here ?

7 Comments(s) _↴

Also in #PHP _↴

Success!

Social

Version

Is htmlentities() Or htmlspcialchars() Really Need Here ?

7 Comments(s) ↴

Also in #PHP ↴

Success!

The web is an endless sea of information. Don't miss the boat... Subscribe!

Social

Version

7 Comments(s) _↴

Also in #PHP _↴