I'm building a PHP intranet for my boss. A simple customer, order, quote system. It will be denied access from the Internet and only used by 3 people. I'm not so concerned with security as I am with validation. Javascript is disables on all machines. The problem I have is this: <ol> <li>Employee enters valid data into a form containing any of the following <code>:;[]"'</code> etc.</li> <li>Form $_POSTS this data to a validationAndProcessing.php page, and determines whether the employee entered data or not in to the fields. If they didn't they are redirected back to the data input page and the field they missed out is highlighted in red.</li> <li>htmlspecialchars() is applied to all data being re-populated to the form from what they entered earlier.</li> <li>Form is then resubmitted to validationAndProcessing.php page, if successful data is entered into the database and employee is taken to display data page.</li> </ol> My question is this: If an employee repeatedly enters no data in step 1, they will keep moving between step 1 and 4 each time having htmlspecialchars() applied to the data. <pre class="prettyprint"><code>So that:- & becomes:- &amp; becomes:- &amp;amp; becomes:- &amp;amp;amp; </code></pre> etc.. How can I stop htmlspecialchars() being applied multiple times to data that is already cleaned? Thanks, Adam

Check the manual page on htmlspecialchars: <blockquote> string htmlspecialchars ( string $string [, int $quote_style = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] ) </blockquote> the <code>$double_encode</code> option should be what you are looking for. In a properly set up data flow, though, this shouldn't be a possibility at all, except if there is data incoming from the user or a 3rd party service that could or could not already contain HTML encoded characters. (Not that I haven't built a few improperly set up data flows in my career. But that's why I know why it's so important they're clean and well defined. :-)

htmlspecialchars() - How and when to use and avoid multiple use

I'm building a PHP intranet for my boss. A simple customer, order, quote system. It will be denied access from the Internet and only used by 3 people. I'm not so concerned with security as I am with validation. Javascript is disables on all machines.

The problem I have is this:

Employee enters valid data into a form containing any of the following :;[]"' etc.
Form $_POSTS this data to a validationAndProcessing.php page, and determines whether the employee entered data or not in to the fields. If they didn't they are redirected back to the data input page and the field they missed out is highlighted in red.
htmlspecialchars() is applied to all data being re-populated to the form from what they entered earlier.
Form is then resubmitted to validationAndProcessing.php page, if successful data is entered into the database and employee is taken to display data page.

My question is this:

If an employee repeatedly enters no data in step 1, they will keep moving between step 1 and 4 each time having htmlspecialchars() applied to the data.

So that:- &
becomes:- &amp;
becomes:- &amp;amp;
becomes:- &amp;amp;amp;

etc..

How can I stop htmlspecialchars() being applied multiple times to data that is already cleaned?

Thanks, Adam

When should you use the Htmlspecialchars function?

The htmlspecialchars() function is used to converts special characters ( e.g. & (ampersand), " (double quote), ' (single quote), < (less than), > (greater than)) to HTML entities ( i.e. & (ampersand) becomes &amp, ' (single quote) becomes &#039, < (less than) becomes < (greater than) becomes > ).

What is the difference between Htmlentities and Htmlspecialchars in PHP?

Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities.

Does Htmlspecialchars prevent XSS?

Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.

What does Htmlspecialchars return?

This function returns a string with these conversions made. If you require all input substrings that have associated named entities to be translated, use htmlentities() instead.

Check the manual page on htmlspecialchars:

string htmlspecialchars ( string $string [, int $quote_style = ENT_COMPAT [, string $charset [, bool $double_encode = true ]]] )

the $double_encode option should be what you are looking for.

In a properly set up data flow, though, this shouldn't be a possibility at all, except if there is data incoming from the user or a 3rd party service that could or could not already contain HTML encoded characters. (Not that I haven't built a few improperly set up data flows in my career. But that's why I know why it's so important they're clean and well defined. :-)

htmlspecialchars() - How and when to use and avoid multiple use

Tags:

html

forms

validation

php

mysql

Adam

People also ask

1 Answers

Pekka

Recent Activity

Donate For Us

htmlspecialchars() - How and when to use and avoid multiple use

Tags:

html

forms

validation

php

mysql

Adam

People also ask

1 Answers

Pekka

Related questions

Recent Activity

Donate For Us