Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
In a contact form, if someone enters the following into the textbox:
<?php echo 'hi'; ?>
I see that the server will not execute it because of an error. What I would like it to do is instead, somehow escape it into plain text and display it correctly. I have seen other sites been able to do this. I originally thought this could be solved by the addslashes() function, but that doesn’t seem to work.
Thanks,
Phil
No. Use
htmlspecialcharsinstead. Don’t useaddslashes.To be more specific,
addslashesbluntly escapes all instances of',"and\andNUL. It was meant to prevent SQL injection, but it has no real use in proper security measures.What you want is preventing the browser to interpret tags as is (and that’s entirely different from preventing SQL injections). For instance, if I want to talk about
<script>elements, SO shouldn’t simply send that string literally, causing to start an actual script (that can lead to Cross-site scripting), but some characters, especially<and>, need to be encoded as HTML entities so they’re shown as angle brackets (the same is true for&, that otherwise would be interpreted as the start of an HTML entity).In your case, output after
htmlspecialcharswould look like: