March 6th, 2013, 09:10 PM
Does htmspecialchars stop css attack?
For example is this enough for keeping the data in the text field?
Not speaking about sql injeciton here.
echo '<input type="text" value="'.htmlspecialchars($_POST['search']).'" />';
March 6th, 2013, 09:19 PM
Yes, but it would be good to get in the habit of using the full power of the function.
htmlspecialchars($_POST['search'], ENT_QUOTES, 'UTF-8')
March 6th, 2013, 10:38 PM
Originally Posted by requinix
I saw that before, but can't really see the difference.
March 6th, 2013, 10:55 PM
ENT_QUOTES will make it escape apostrophes too, in case you have HTML like
UTF-8 is to help with potential text encoding problems.
<input type='text' value='blah' />
March 6th, 2013, 11:06 PM
Just so that there's no misunderstanding: Of course you must not specify 'UTF-8' if the page encoding isn't UTF-8. You have to specify the actual encoding as set in the Content-Type header. If you don't explicitly specify the encoding, you rely on the default value, which may or may not be correct. If it isn't, this can render the whole function useless:
I've actually written down all that in the link in my signature.