htmlentities() vs. htmlspecialchars()
From the PHP documentation for htmlentities:
This function is identical to
htmlspecialchars()
in all ways, except withhtmlentities()
, all characters which have HTML character entity equivalents are translated into these entities.
From the PHP documentation for htmlspecialchars:
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use
htmlentities()
instead.
The difference is what gets encoded. The choices are everything (entities) or "special" characters, like ampersand, double and single quotes, less than, and greater than (specialchars).
I prefer to use htmlspecialchars
whenever possible.
For example:
echo htmlentities('<Il était une fois un être>.');
// Output: <Il était une fois un être>.
// ^^^^^^^^ ^^^^^^^
echo htmlspecialchars('<Il était une fois un être>.');
// Output: <Il était une fois un être>.
// ^ ^
PHP htmlspecialchars() or htmlentities() with exception
Easiest way would be to convert your string with htmlentities
and then use preg_replace to replace back the selected tags:
<?php
$string = '<p><strong>A <i>test</i> string with a <a href="#">Test link</a></strong></p>';
$encoded_string = htmlentities($string);
$encoded_string = preg_replace('/<(\/?(strong|b|i|em|br))>/', '<$1>', $encoded_string);
echo($encoded_string);
//outputs: <p><strong>A <i>test</i> string with a <a href="#">Test link</a></strong></p>
Of course if you want to handle arguments inside the tags as well, then the regex pattern needs some work, although these tags are generally lacking any argument.
PHP htmlentities or htmlspecialchars
Not understanding why you're encoding html characters for this. It's a trusted string, so, just put it in single quotes and write it. If any character's are giving you trouble, escape them instead of encoding them.
If there's a reason you must do it this way, then decode inline. But it all seems a bit messy to me.
htmlentities() vs. htmlspecialchars()
From the PHP documentation for htmlentities:
This function is identical to
htmlspecialchars()
in all ways, except withhtmlentities()
, all characters which have HTML character entity equivalents are translated into these entities.
From the PHP documentation for htmlspecialchars:
Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use
htmlentities()
instead.
The difference is what gets encoded. The choices are everything (entities) or "special" characters, like ampersand, double and single quotes, less than, and greater than (specialchars).
I prefer to use htmlspecialchars
whenever possible.
For example:
echo htmlentities('<Il était une fois un être>.');
// Output: <Il était une fois un être>.
// ^^^^^^^^ ^^^^^^^
echo htmlspecialchars('<Il était une fois un être>.');
// Output: <Il était une fois un être>.
// ^ ^
filter_var vs htmlentities vs htmlspecialchars
My guess (about lack of adoption) would be it's simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.
htmlspecialchars() x htmlentities()
htmlentities
is a workaround for not having set the character type of the document properly. htmlspecialchars
is the correct function to use for merely writing text into an HTML document.
As to your second question, I think you're looking for addcslashes.
Do I need htmlentities() or htmlspecialchars() in prepared statements?
htmlentities
and htmlspecialchars
are used to generate the HTML output that is sent to the browser.
Prepared statements are used to generate/send queries to the Database engine.
Both allow escaping of data; but they don't escape for the same usage.
So, no, prepared statements (for SQL queries) don't prevent you from properly using htmlspecialchars
/htmlentities
(for HTML generation)
About strip_tags
: it will remove tags from a string, where htmlspecialchars
will transform them to HTML entities.
Those two functions don't do the same thing; you should choose which one to use depending on your needs / what you want to get.
For instance, with this piece of code:
$str = 'this is a <strong>test</strong>';
var_dump(strip_tags($str));
var_dump(htmlspecialchars($str));
You'll get this kind of output:
string 'this is a test' (length=14)
string 'this is a <strong>test</strong>' (length=43)
In the first case, no tag; in the second, properly escaped ones.
And, with an HTML output:
$str = 'this is a <strong>test</strong>';
echo strip_tags($str);
echo '<br />';
echo htmlspecialchars($str);
You'll get:
this is a test
this is a <strong>test</strong>
Which one of those do you want? That is the important question ;-)
Related Topics
What Are the "Standard" Timezone Abbreviations
PHP + MySQL Transactions Examples
Formatting a Number With Leading Zeros in PHP
Codeigniter Removing Index.PHP from Url
How to Call a JavaScript Function from PHP
Stacking Multiple Ternary Operators in PHP
Ajax Request Callback Using Jquery
Fatal Error: Uncaught Error: Call to Undefined Function MySQL_Connect()
Is There a PHP Function That Can Escape Regex Patterns Before They Are Applied
How to Load Classes Based on Pretty Urls in MVC-Like Page
Curl Post Format For Curlopt_Postfields
Delimiter Must Not Be Alphanumeric or Backslash and Preg_Match
What Does a \ (Backslash) Do in PHP (5.3+)
How to Compare Two Datetime Objects in PHP 5.2.8
How to Get an Array of Specific "Key" in Multidimensional Array Without Looping