I understand what htmlentities() does and that it can increase security() but I don’t want to use it indiscriminately. My dilemma is as follows -
I have a project that accepts user input via a form, the form data is analysed and searched for the occurrence of particular strings. Now whilst the data displays ok in a browser the actual text is obviously interspersed with additional characters which makes analysing it difficult.
My questions are -
If submitted text is not converted using htmlentities() is it only a threat if you click on it?
Does htmlentities() have any benefit in preventing SQL injection? ie can I save it unconverted and just convert it before I display it?
If input is not converted using htmlentities() is there any threat if it is never saved to a database and never displayed in a browser?
Sorry if this sounds a bit dumb, but I like to understand as fully as possible
Same here. There are several ways to display text in your browser. And depending on the way it is done, the text must have other content to execute a script (I just gave one possible example)
Can I please ask an off topic question seeing your title is Mentor . I asked a question about developing an html 5 pattern using regex but only getting replies about the PHP part - is there a better place or better way to ask please
But do you understand what its primary purpose is?
Sometimes we need to show HTML in a web page, such as the following.
If we put that HTML in a web page without using HTML entities then the browser will format the HTML the same as if it was all the other HTML. So we can use HTML entities as in the following that the browser converts to the HTML we want shown.
Using HTML entities for security purposes is a secondary purpose. I suggest not trusting it for use for security.