escaping POST data in form

anakadote

When repopulating a form with user-submitted POST data (say a required field wasn't filled in), I usually use a combination of stripslashes() and htmlentities() to escape the data.

stripslashes(htmlentities($_POST['something'], ENT_QUOTES, 'UTF-8'))

Is there a more efficient/preferred way of doing this?

NogDog

The only reason you should need stripslashes() is if you have the infamous magic_quotes_gpc feature enabled. If it is not turned on (and really, it should not), then you do not want to use stripslashes(). Otherwise, htmlentities() as you are using it should be fine. If you are working in a situation where magic_quotes are (or may be) turned on, you probably should have already stripped them before you get to the point where you are outputting user inputs. (The same would hold for anything else you want to filter, either applying it directly to the $_* arrays or creating separate, "sanitized" arrays to hold the user's inputs.)