/    Sign up×
Community /Pin to ProfileBookmark

htmlspecialchars to html

Copy linkTweet thisAlerts:
Sep 06.2006

im currently writing functions to convert htmlspecialchars (which i convert all characters to before it is uploaded to the database for security purposes and to keep the html valid to strict)

would this be an effective function for putting links back in?

[code=php]
function htmllink($text)
{
str_replace(‘&lt;a href=&quot;’, ‘<a href=”‘, $text);
str_replace(‘&quot;&gt;’, ‘”>’, $text);
str_replace(‘&lt;/a&gt;’, ‘</a>’, $text);
}
[/code]

or is there a more effective way?

also is there an easy way to be able to display htmlspecialchars for somethings and not others (to display code not have the browser read he html for some things but actually process the html for others)

e.g
have the options to have <a href=”blah”>blah</a>
and &lt;a href=&quot;blah&quot;&gt;blah&lt;/a&gt;

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@bokehSep 06.2006 — I'd say no. There is no reason to convert mark-up to entities just to put it in the database. Unnecessarily converting to and from entities is just a pointless overhead and in no way increases security. Obviously though if you are accepting data from external sources this should be processed accordingly before placing in the database.
Copy linkTweet thisAlerts:
@knowjauthorSep 06.2006 — im not a php expert but from the way i see it htmlspecialchars make it virtually impossible for a user to upload a usable malicious script. they have no operators as these are removed also with a few other systems in place to help increase the security against sql injection.

also not useing this would allow users to add there own html code to change the whole layout/style of the pages they data is displayed on.

but i am no php master i am still learning and without being in an industry which is always doing this type of thing im having to pick buts up from all over the place to try to do what seems/is said to be best
Copy linkTweet thisAlerts:
@bokehSep 06.2006 — There is a built in function to escape data on the way in to the database. In the case of mysql it is [I]mysql_real_escape_string()[/I]. Once the data is escaped it will not harm the database.upload a usable malicious script[/QUOTE]The point of applying entities to user input is so the end user (not your site) is protected from any malicious portable code. If you make a function that converts that code back into an executable form before outputing it any protection extended to your users will be lost.
Copy linkTweet thisAlerts:
@pcthugSep 07.2006 — Use the [url=http://www.php.net/manual/en/function.htmlspecialchars-decode.php]htmlspecialchars_decode()[/url] function.
×

Success!

Help @knowj spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.19,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...