Use htmlentities and htmlspecialchars to filter input operations in php, and use htmlspecialchars to filter input operations

Use htmlentities and htmlspecialchars to filter input operations in php, and use htmlspecialchars to filter input operations

This example describes how to filter input in php using htmlentities and htmlspecialchars. We will share this with you for your reference. The details are as follows:

Filtering input (that is, any data from the listed data sources) refers to escaping or deleting insecure characters. Before the data reaches the storage layer of the application, you must filter the input data. This is the first line of defense. If the website's comment form receives html, by default, visitors can add malicious <script> tags to the comment without blocking, as shown below:

<P> my tests </p> <script> alert (123) </script>

The above example. If this comment is not filtered out, malicious code is stored in the database and then rendered in the website tag.

HTML

We can use the htmlentities or htmlspecialchars function to filter html and convert special characters into corresponding html entities.

The htmlentities function converts all special characters corresponding to the "html Entity", such as the currency symbol, euro, pound, and copyright symbol. htmlspecialchars only escapes some special characters, & "'<>

These two functions are silly. By default, they do not escape single quotes.

$ Str = '<a href = "test.html" rel = "external nofollow"> \ 'test Page \' </a> <script> alert (213) </script> '; // No escape single quotes echo $ str; echo "
You need to set 2nd parameters ENT_QUOTES. For details, refer to the php manual.
Echo htmlentities ($ str, ENT_QUOTES, 'utf-8'); // escape echo "
The above examples do not distinguish htmlentities from htmlspecialchars. Some special characters, such as the euro, are replaced below. Htmlentities will escape this, But htmlspecialchars will not
Echo htmlentities ('? <> "'). PHP_EOL; echo" 
Conclusion:Generally, you can use strip_tags to remove html tags when submitting a form. If the rich text editor needs to retain html tags, you can use htmlspecialchars to filter submitted data.