Clean input from the form

Stribor45 · July 13, 2020, 12:18am

I am not sure I am understanding why this function doesnt clean data that it is given. As an example I have php script that looks something like this…

<?php
   
   if (isset($_GET["my_submit"])) {
      $cost = htmlspecialchars($_GET["cost"]);
      echo $cost;
   }
   else {
      $cost = "";
    
   }

when I enter this data <a href='test'>Test</a> into the form I get exactly same in the output.
This is what I see on the screen <a href='test'>Test</a>

Should I not see this output <a href='test'>Test</a>

mabismad · July 13, 2020, 1:29am

If you do a ‘view source’ of the output in your browser, you will see the html entities.

htmlspecialchars() is an OUTPUT function. You use it when you output dynamic values on a web page. You do NOT use it on input data that you are going to use in your server-side code.

The only alteration you make to input data that you are going to use in your server-side code is to trim() it, so that you can detect if all white-space characters were entered. Anything else changes the meaning of the data. After you trim the value, you should validate that the data is what you expect. If the data is valid, use it. If it is not valid, setup and display a message for the visitor telling them what was wrong with the submitted data.

ahundiak · July 13, 2020, 12:13pm

PHP has a filter_var function specifically designed to filter, sanitize and validate input data. As mentioned previously, htmlspecialchars is for output.

The filter_var function supports a number of different filters. In particular the FILTER_SANITIZE_SPECIAL_CHARS probably is close to what you want.

Stribor45 · July 13, 2020, 7:56pm

That make sense. Thank you

system · October 13, 2020, 2:56am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.