htmlspecialchars

klycette

I'm still a little confused about the htmlspecialchars() function. I've been told that it's a good idea to pass all user input through this function so all quotes, &'s, etc are converted to their html equivalents. Is this true?

Also, what happens when the information the user inputs comes back from the database? Is it correct to assume that it's read as html, so the user's original entries are displayed (", &, etc)?

While I'm kind of on the subject, is it necessary to check if magic_quotes is on before you addslashes and stripslashes or can this be done safely regardless? Thanks in advance.

Option

yes its a good idea to use the function as if you are using database... users can enter nasties and completely change the meaning of your Query and possibly gain access to or even destroy your database.

laserlight

I suggest using addslashes() on incoming variables before storing the values in a database, assuming magic_quotes_gpc is set to 0.

When retrieving from the database, use htmlspecialchars() when writing output.

klycette

If magic_quotes is on and you use addslashes and stripslashes will it hurt anything? Also, do you mean that if you use htmlspecialchars on anything entering the database you also have to use it when outputting from the database?

laserlight

if you use addslashes() on a string that has already been escaped, then using stripslashes() on it will produce the string that has been escaped once, which isnt what you want for normal output.

You only need to use htmlspecialchars() on output, you dont need to use it on input.
Of course you can, but if you do then dont use it on output.
I recommend only using it on output since that makes the data a bit more flexible when you want to write it.

klycette

I'm not sure if its becoming more clear or less clear...lol

Let's put it this way...if I use addslashes and that escapes special characters and magic quotes is also turned on, then will it try to escape them again? I basically just want to know if I have to test whether its on or not and the addslashes and stripslashes accordingly or if I can just do it and let it be redundant.

Regarding the htmlspecialchars, I thought the whole point of using it was to protect your database from code going into it. Basically, I'm just trying to keep things safe while determing what has to be done to the data when its coming back out.

laserlight

htmlspecialchars() can do that, but it is more commonly used to prevent injection of code and scripts into your webpage then to prevent SQL injection.

Currently, I use

//for storage to database
function prepIn($input) {
	$input = trim($input);
	if (!get_magic_quotes_gpc()) {
		return addslashes($input);
	}
	return $input;
}

//for output to html page, textbox or textarea
function prepOut($output) {
	$output = stripslashes($output);
	return htmlspecialchars($output);
}

klycette

Ok...that makes things a little more clear. Right now I'm using this:

function cleanup($input)
{
$input=strip_tags($input);
$input=htmlspecialchars($input);
$input=addslashes($input);//special characters
$input=trim($input);
return $input;
}

which I got from somewhere on this site. Do you recommend using strip_tags as well? Also, does the exact order of the function calls matter?

laserlight

strip_tags() is up to you, it depends on what you want.

In this case the sequence does matter.
If you call htmlspecialchars() first, strip_tags() is useless.
Actually, I think there's no point using both on the same data.

klycette

I'm tempted to just use strip_tags and not htmlspecialchars, since I still don't fully understand what it does...mostly I just want to make sure that users can't put things into my database to screw it up.

laserlight

strip_tags() "tries to return a string with all HTML and PHP tags stripped from a given str", as the PHP manual notes.

htmlspecialchars() "returns a string with some of these conversions made", the conversions meaning some characters are converted to their respective html entities.

The conversions are:
&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'

what this means is, html code within the string will not be "active" as html code.

As such, trying to write evil things like:
<marquee>I can post!!!!</marquee>
will not work, even on I.E.

ravingcommie

What if I use a form and apply html formatting to it, to be inserted into a database and to be retrived by another page with the basic formating. I'm only using things like <strong></strong> and <em></em> but do you think I should pass it through htmlspecialchars() and try and find a way of getting a bulletin board code - like tags - and use that, or should I just leave it?

klycette

If you use htmlspecialchars on output only, aren't you letting users put whatever they want into your database, if you don't use strip_tags? Also, even if htmlspecialchars makes the conversions on output, aren't you still going to get stuff that you don't want. For example if someone enters:

into one of your fields and you pass it through htmlspecialchars before output, aren't you still going to get junk, even if its only the special characters after conversion. What I'm looking for it the best way to get rid of any tags so if someone enters:

or something like it, all that goes into the database is "I can post!!!", without the quotations of course.

zeb

Let me see if I can help make things clear... Basically everything depends on what you are going to do with the data.

Lets say that you are going to simply echo the data to the web page. When a user enters tags in the input field, such as "<marquee>I can post!!!!</marquee>", the angle brackets get sent to the browser "as is" and are interpreted as tags. If you look at the source code to the resulting page, you will see exactly "<marquee>I can post!!!!</marquee>", and the page will display the ugly result of the <marquee> tag - the scrolling words of a juvenile with no direction.

Now, if you first do htmlspecialchars() to the data, before you output to the page, then the angle brackets get changed into '<' and '>' and the web browser will not interpret the string as containing HTML tags. Instead, the browser will interpret the '<' and the '>' as instructions to output the angle brackets to the page. Now the input text "<marquee>I can post!!!!</marquee>" will be displayed on the page as it was entered. If you look at the source code in this case, you will see "<marquee>I can post!!!!</marquee>".

If you plan to store this information in a database, then performing htmlspecialchars() on the input first will result in the following being stored: "<marquee>I can post!!!!</marquee>". If you do this, then there isn't a chance of the database query being cracked. However, as laserlight suggested, the resulting text is stored as a somewhat confusing string which needs to be converted before doing anything other than printing to a web page.

In order to completely remove tags, use strip_tags(). This will remove opposing angle brackets (<>, not ><), and anything in-between. If you do this, then the input data becomes "I can post!!!!".

See this page in the PHP manual for more info.

Does that help?

klycette

Yes, that does help...it was what I was trying to confirm. Out of curiosity, what would be used to convert these strings before outputting them? (although I think I'll just use strip_tags).

zeb

Hmmmm. I'm not sure if there is a designated function for this (someone else?) but I suppose you could do this:

$input = $_POST['input'];
$cleaned_up = htmlspecialchars($input);

// this is the translation table used by htmlspecialchars()
$translation = get_html_translation_table(HTML_SPECIALCHARS);

// to reverse the translation, you could flip
// the keys with the values of the translation table
$reverseTranslation = array_flip($translation);

// then use the string translation function
// and specify the reversed translation table
$original = strtr($cleaned_up, $reverseTranslation);

Kind clunky, but it works... It's all in the manual... and there is a great function index. Check them out.

Option

the actual charachters from the database will not LOOK like the chars they are supposed to... but when displayed on an HTML page they will appear correctly... just use the function.. then forget about it... it should sort itself out.