HTML special characters opposite function

Stribor45 · March 18, 2018, 12:23am

I have string that looked like this (which I received from html form)…

$data = "Top Winner"

Which I put trough…

 $d = trim($data); 
 $d = stripslashes($data); 
 $d = htmlspecialchars($data);

before I put it into the database… result in my database looks like this…

&amp;amp;amp;amp;quot;Top Winner&amp;amp;amp;amp;quot;

Now I am trying to get this back to “Top Winner” and show it in the browser but it is showing it exactly as it is in the database. I am confused because I tried to use every single function here

PHP Decode

with no success. What am I doing wrong?

benanamen · March 18, 2018, 1:54am

What you are doing wrong is not using prepared statements. There is no need for all those code gymnastics to insert data into the DB.

Stribor45 · March 18, 2018, 1:57am

Actually I did use prepared statement “named placeholders” but isn’t it good idea to clean input that you receiving from the forms?

ahundiak · March 18, 2018, 2:13am

With prepared statements, escaping your data ahead of time is a waste. Just introduces the possibility more of errors. So no stripslashes needed for prepared statements.

The thing you are really missing is that htmlspecialchars is an output function. It takes care of escaping things like <,>,& which might otherwise confuse the browser. It’s very very very seldom to encounter a valid use case for using on input data.

The trim is okay if you need to guard against unwanted leading or trailing spaces.

benanamen · March 18, 2018, 3:51am

Beat me to it so I will just stand behind your response in agreement to everything you said to op.

Gandalf · March 18, 2018, 8:30am

In any case

$d = trim($data);
$d = stripslashes($data);
$d = htmlspecialchars($data);

The value of $d is going to be overwritten each time by the next statement.

Stribor45 · March 18, 2018, 12:21pm

Ok how should I have done it?

SamA74 · March 18, 2018, 12:33pm

Using prepared statements should guard you against sql injection, though it’s still a good idea to validate the input, I would not encode it on input, as mentioned, trimming is not a bad idea.

What I would do is encode on output:-

<?php echo htmlspecialchars($row['data']); ?>

…to guard against any script injection to your site/app that may slip past the previous validation.

If you were to apply multiple functions on a value (probably not these ones) you must pass the result of the previous function to the next function, not the unchanged original value.
Otherwise, as per your code only the last function will be used, as $data never changes and $d is overwritten on each line.

system · June 17, 2018, 7:33pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.