PHP & MySQL: When Exactly to Use HTMLentities

PHP & mySQL: When exactly to use htmlentities?

Here's the general rule of thumb.

Escape variables at the last possible moment.

You want your variables to be clean representations of the data. That is, if you are trying to store the last name of someone named "O'Brien", then you definitely don't want these:

O'Brien
O\'Brien

.. because, well, that's not his name: there's no ampersands or slashes in it. When you take that variable and output it in a particular context (eg: insert into an SQL query, or print to a HTML page), that is when you modify it.

$name = "O'Brien";

$sql = "SELECT * FROM people "
     . "WHERE lastname = '" . mysql_real_escape_string($name) . "'";

$html = "<div>Last Name: " . htmlentities($name, ENT_QUOTES) . "</div>";

You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn't HTML?

Keep the data clean, and only escape for the specific context of the moment.

PHP htmlentities() on input vs on output

Unless you can guarantee that for the lifetime of your application the input is only going to be fed to a web browser the matter is not up for discussion: you should use XSS protection on output because otherwise you will end up having to massage your data on output (whatever kind of output that may be) on a case-by-case basis. Which is exactly your current argument for applying the protection on input.

Seeing as it's quite unlikely that the above is true even right now (let alone in an unspecified future time) IMHO the answer is obvious.

HTML entities in my database. Search with zero results

Don't store html entities in the database. Those entities are intended for use in HTML only, in order to prevent cross site scripting attacks amongst other things. Use htmlentites when outputting to a HTML page via PHP.

Having said this, make sure you properly parametrize your database queries when using user-inputted data in order to prevent SQL injection attacks.

PHP - Having more than one htmlentities() in your code

Because calling it a second time on the same value can double-encode it.

Taking the example from the PHP docs:

$str = "A 'quote' is <b>bold</b>";

$firstEntity = htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>

Now if we run that through htmlentities() again it will encode the ampersands that the first htmlentities() call created and you'll end up with a double-encoded string:

$secondEntity = htmlentities($firstEntity);
// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;

Is htmlentities($password_string) necessary?

The one and only time you use htmlentities for anything is if and when you're outputting data into HTML, right then and there. E.g.:

<p><?php echo htmlentities($data); ?></p>

In any other context HTML entities are generally useless* and will only garble/change/destroy your data. Indeed, using it on a password, probably nowhere near any HTML context, is highly suspect.

_{* Yes, you can probably find some specialised use case somewhere…}

What is the best way to echo results from the database into html code in PHP?

use urlencode
or htmlspecialchars

<a href="<?php echo urlencode($dburl)?>" title="<?php echo htmlspecialchars($dbvalue)?>">link</a>

htmlentities mysql_real_escape_string

I would say htmlentities() are good to prevent XSS attacks. So, if you're gonna re-render this data back to HTML format again, use it. If you're only worried about well-known SQL Injection attacks, I would say mysql_real_escape_string() is enough for you.

remember that you need to decode HTML entities, once you're gonna show them again.

PHP & MySQL: When Exactly to Use HTMLentities