Is My htmlspecialchars() & htmlentities() Validly Used?

PHP
1

I want to know where I used my htmlentities() and htmlspecialchars() correctly out of the 4 WHILE Loops below.
If any of the 4 are invalid then I’d like to know why and how to fix them.

$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .$url .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .$url .'"' .'>' .intval($i) .'</a>';
}
$i++;
}


$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	
if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' ."$path" .htmlentities($query_string_1) .htmlentities($query_string_2) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' ."$path" .htmlentities($query_string_1) .htmlentities($query_string_2) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .$query_string_1 .$query_string_2; //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}


$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

I would really appreciate if you could show me code sample how you yourself program on things like this.
The above codes are part of pagination that echoes page numbers 1234 etc. like you see at the bottom of google search result pages.

Code Context:
Hmlt

<form method = 'GET' action = "">
<label for='find'>Find</label>
<input type='text' name='find' id='find'>
<br>
Table:
<input type='radio' name='table' id='sale'><label for='table'>Websites On Sale</label>
<input type='radio' name='table' id='sold'><label for='table'>Websites Sold</label>
<input type='radio' name='table' id='links'><label for='table'>Links</label>
<br>
<label for="column">Column:</label>
<select name="column" id="column">
	<option value=""></option>
	<option value="domain">Domain</option>
	<option value="email">Email</option>
	<option value="submission_id">Submission Id</option>
	<option value="url">Url</option>
	<option value="anchor">Anchor</option>
	<option value="description">Description</option>
	<option value="keywords">Keyword</option>
	</select>
<br>
<button type='submit'>Search!</button>
</form>

Php

<?php

//ERROR REPORTING FOR DEVMODE ONLY.
ini_set('display_errors','1');
ini_set('display_startup_errors','1');
error_reporting(E_ALL);

//MYSQLI CONNECTION.
mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);

$server = 'localhost';
$user = 'root';
$password = '';
$database = 'brute';

if(!$conn = mysqli_connect("$server","$user","$password","$database"))
{
	echo 'Mysqli Connection Error' .mysqli_connect_error($conn);
	echo 'Mysqli Connection Error Number' .mysqli_connect_errno($conn);
}

if(!mysqli_character_set_name($conn) == 'utf8mb4')
{
	echo 'Initial Character Set: ' .mysqli_character_set_name($conn);
	mysqli_set_charset("$conn",'utf8mb4');
	echo 'Current Character Set: ' .mysqli_character_set_name($conn);
}


//SECTION: WHITE-LISTS.
//Valid list of Mysql Tables.
$tables_white_list = array('sale','sold','links');
//Valid list of Mysql Table Columns.
$columns_white_list = array('email','domain','url','anchor','description','keyword');
//Banned Words List. Users cannot search these keywords.
$blacklisted_words = array('prick','dick');

//SECTION: VALIDATE SERP URL.
//Check if "table" exists or not in Url's Query String.
if(ISSET($_REQUEST['table']) && !empty(trim($_REQUEST['table'])) && is_string(trim($_REQUEST['table'])))
{
	if(in_array(trim($_REQUEST['table']),$tables_white_list)) //MySql Tbl to Search.
	{
		$tbl = trim($_REQUEST['table']);
	}
	else
	{
		die('Invalid Table!');
	}
}
else
{
	die('Select Table!');
}

//Check if "column" exists or not in Url's Query String.
if(ISSET($_REQUEST['column']) && !empty(trim($_REQUEST['column'])) && is_string(trim($_REQUEST['column'])))
{
	if(in_array(trim($_REQUEST['column']),$columns_white_list)) //MySql Tbl Col to search.
	{
		$col = trim($_REQUEST['column']);
	}
	else
	{
		die('Invalid Column!');
	}
}
else
{
	die('Select Column!');
}

//Check if "search term" exists or not in Url's Query String.
if(!ISSET($_REQUEST['find']) || empty(trim($_REQUEST['find'])) && !is_string(trim($_REQUEST['find'])) || !is_int(trim($_REQUEST['find']))) //Using $_REQUEST[] for both $_REQUEST['POST'] & $_REQUEST['REQUEST'].
{
	die('Enter Keywords to search!');
}
else
{
	if(in_array(trim($_REQUEST['find']),$blacklisted_words)) //Keyword(s) to search.
	{
		die('Your search terms contains a banned word! Try some other keywords');
	}
	else
	{
		$find = trim($_REQUEST['find']); //Not trimming or ridding trailing spaces here as user's keyword (eg. foreign keywords or symbols) may actually contain such spaces.	
				
	if($col=='submission_id')
	{
		if(!is_INT($find))
		{
			die('Enter a valid Submission Number! Can only be a numerical value.');
		}
		else
		{
			$submission_id = $find;
		}
	}
	
	if($col=='email')
	{
		if(!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
		{
			die('Enter a valid Email!');
		}
		else
		{
			$email = $find;
		}
	}
	
	if($col=='domain')
	{
		if(!filter_input(INPUT_GET, "domain", FILTER_VALIDATE_DOMAIN))
		{
			die('Enter a valid Domain!');
		}
		else
		{
			$domain = $find;
		}
	}
	if($col=='url')
	{
		if(!filter_input(INPUT_GET, "url", FILTER_VALIDATE_URL))
		{
			die('Enter a valid Url!');
		}
		else
		{
			$url = $find;
		}
	}
	
	if($col=='anchor')
	{
		if(!filter_input(INPUT_GET, "anchor", FILTER_VALIDATE_STRING)) //HOW TO VALIDATE STRING ?
		{
			die('Enter a valid Description!');
		}
		else
		{
			$description = $find;
		}
	}
	
	if($col=='description')
	{
		if(!filter_input(INPUT_GET, "description", FILTER_VALIDATE_STRING)) //HOW TO VALIDATE STRING ?
		{
			die('Enter a valid Description!');
		}
		else
		{
			$description = $find;
		}
	}
	
	if($col=='keyword')
	{
		if(!filter_input(INPUT_GET, "keyword", FILTER_VALIDATE_STRING))
		{
			die('Enter a valid Keyword!');
		}
		else
		{
			$keyword = $find;
		}
	}
}
}

$max = (!empty($_REQUEST['max']) and intval($_REQUEST['max']) > 0)
? intval($_REQUEST['max']) : 1;

$page_no = (!empty($_REQUEST['page']) and intval($_REQUEST['page']) > 0)
? intval($_REQUEST['page']) : 1;

//SECTION: QUERY DATABASE FOR KEYWORD COUNT.
$query = "SELECT COUNT(id) From links WHERE keyword = ?";
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt,$query))
{
	mysqli_stmt_bind_param($stmt,'s',$find);
	mysqli_stmt_execute($stmt);
	mysqli_stmt_bind_result($stmt,$row_count);
	if(mysqli_stmt_fetch($stmt))
	{
		echo 'Row Count: ' .$row_count; echo '<br>';	
	}
	else
	{
		echo 'Record fetching failed!';
		echo 'Error: ' .mysqli_stmt_error($conn);
		echo 'Error: ' .mysqli_stmt_errno($conn);
	}
	mysqli_stmt_close($stmt);
}
else
{
	echo 'find Preparation Failed!';
}
//mysqli_close($conn);
echo '<b>'; echo __LINE__; echo '</b>'; echo '<br>';


//SECTION: QUERY DATABASE FOR SEARCH-TERM MATCHES.
echo $offset = ($page*$max)-$max; echo '<br>';
$query = "SELECT id,date_and_time,name,age,zip,phone,mobile,fax,email,domain,url,description From links WHERE $tbl = ? LIMIT $offset,$max";
$stmt = mysqli_stmt_init($conn);
if(mysqli_stmt_prepare($stmt,$query))
{
	mysqli_stmt_bind_param($stmt,'s',$find);
	mysqli_stmt_execute($stmt);
	if($result = mysqli_stmt_get_result($stmt))
	{
		$columns = mysqli_fetch_array($result);
		
	$submission_id = $columns['id'];
	$submission_date_and_time = $columns['date_and_time'];
	$email = $columns['email'];
	$domain = $columns['domain'];
	$url = $columns['url'];
	$anchor = $columns['anchor'];
	$description = $columns['description'];
	$keyword = $columns['keyword'];	
			
	echo 'Submission Id: ' .$submission_id; echo '<br>';
	echo 'Submission Date And Time: ' .$submission_date_and_time; echo '<br>';
	echo 'Email: ' .$email; echo '<br>';
	echo 'Domain: ' .$domain; echo '<br>';
	echo 'Url: ' .$url; echo '<br>';
	echo 'Anchor: ' .$anchor; echo '<br>';
	echo 'Description: ' .$description; echo '<br>';
	echo 'Keyword: ' .$keyword; echo '<br>';
	//WHICH OF THE FOLLOWING TWO ECHOES IS BEST ?
	echo 'Link: <a href=' .'"' .strip_tags($url) .'"' .'>' .'<b>' .strip_tags($url) .'</b>' .'</a>'; echo '<br>'; //Need to add your aided code on this line before echoing third party submitted links on my page. Your code needs to detect url structure and break them up into pieces and apply the appropriate php function (urlencode(), raw_urlencode(), htmlentities(), htmlspecialchars(), intval() on the appropriate pieces.
	echo 'Link: <a href=' .'"' .htmlspecialchars($url) .'"' .'>' .'<b>' .htmlspecialchars($url) .'</b>' .'</a>'; echo '<br>'; //Need to add your aided code on this line before echoing third party submitted links on my page. Your code needs to detect url structure and break them up into pieces and apply the appropriate php function (urlencode(), raw_urlencode(), htmlentities(), htmlspecialchars(), intval() on the appropriate pieces.
}
else
{
	//Error Messages for Production Mode only.
	echo 'Record fetching failed!';
	echo 'Error: ' .mysqli_stmt_error($stmt);
	echo 'Error: ' .mysqli_stmt_errno($stmt);
}
mysqli_stmt_close($stmt);
}
mysqli_close($conn);


//SECTION: PAGINATION SECTION TO NUMBER THE SERPS AND LINK THEM.
$total_pages = ceil($row_count/$max);
//Grab the current page's url.
$selfpage = basename(__FILE__,''); //Echoes: url_encode_Template.php. Does not fetch the url's query terms (params & their values absent).
//Encode the File Path.
$path = rawurlencode($selfpage);
//Encode the Query String in the url.
$query_string_1 = '?find=' .urlencode($find) .'&table=' .urlencode($table) .'&column=' .urlencode($column) .'&max=' .intval($max);

//1. WHICH WHILE LOOP IS BEST ?
$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .$url .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .$url .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

echo '<br>';

//2. WHICH WHILE LOOP IS BEST ?
$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	
if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' ."$path" .htmlentities($query_string_1) .htmlentities($query_string_2) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' ."$path" .htmlentities($query_string_1) .htmlentities($query_string_2) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

//3. WHICH WHILE LOOP IS BEST ?
$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .$query_string_1 .$query_string_2; //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

echo '<br>';

//4. WHICH WHILE LOOP IS BEST ?
$i = '1';
while($i<=$total_pages)
{
	$query_string_2 = '&page=' .intval($i);
	$url = $path .htmlentities($query_string_1) .htmlentities($query_string_2); //Full URL With $_REQUEST params (Query Strings): https://localhost/Templates/url_encode_Template.php?find=keyword&tbl=links&col=keyword&max=100&page=1

if($page == $i)
{
	//Bold the current Page numbered link.
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .'<b>' .intval($i) .'</b>' .'</a>';
}
else
{
	echo '<a href=' .'"' .htmlspecialchars($url) .'"' .'>' .intval($i) .'</a>';
}
$i++;
}

echo '<br>';

?>

If there any other serious errors on my above code then I’d appreciate your corrected code samples.

Thank You!

2

The functions you mention are for HTML output which it looks like you are doing. The “problem” I see is the repetition of exact output strings save for a Bold reference. You can easily tighten up the code to eliminate the duplication.

There are others issues as well. Best to not run this on a production/public facing server until you understand the other issues with the code. I don’t have time right now to get into the rest of it.

3

Thread closed as OP is banned.