How can I properly escape HTML form input default values in PHP?
Solution 1
Use htmlspecialchars($_POST['firstname'])
and htmlspecialchars($_POST['content'])
.
Always escape strings with htmlspecialchars()
before showing them to the user.
Solution 2
htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input
case.
Solution 3
Given it is kinda long I would put it in a function
<?PHP
function encodeValue ($s) {
return htmlentities($s, ENT_COMPAT|ENT_QUOTES,'ISO-8859-1', true);
}
?>
This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (Like in José) instead of inserting an empty string.
Then you can do:
<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />
and
<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>
Ryan
Updated on June 16, 2021Comments
-
Ryan almost 3 years
Given the following two HTML/PHP snippets:
<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
and
<textarea name="content"><?php echo $_POST['content']; ?></textarea>
what character encoding do I need to use for the echoed
$_POST
variables? Can I use any built-in PHP functions?Please assume that the
$_POST
values have not been encoded at all yet. No magic quotes - no nothing. -
PJ Brunet over 12 yearsHowever, htmlspecialchars() won't help you with
value='single quotes'
This is what happens:value='We're not using this in our "code"...'
All you see isWe
-
Your Common Sense over 12 yearsso, don't use single quotes in values. or use ENT_QUOTES modifier. not a big deal
-
Jordan Eldredge over 11 yearsNote: It is important to use double quotes for the value attribute in
<input>
tags. -
Jordan Eldredge over 11 yearsUnless you specify
ENT_QUOTES
as the secondhtmlspecialchars()
argument, single quotes will not be escaped. Therefore any single quotes present in your$_POST
value will break out of the<input>
field. -
Jordan Eldredge over 11 years@YourCommonSense Presumably post data is coming from the user, so "don't use single quotes in values" is not terribly helpful advice. Using
ENT_QUOTES
is the correct solution, but remembering to do so could be a "big deal". -
Brainware almost 11 yearsNote: Don't be tempted to use htmlentities(). That breaks UTF-8 characters. As rid said, use htmlspecialchars().
-
GoTo over 9 yearsif you don't use
ENT_QUOTES
parameter then single quotes are not escaped. This is not a problem if in the input tag you define the value parameter asvalue="double quotes"
. The double quotes are escaped in the user provided string and the part withvalue="...
is provided by the server. -
Noumenon over 8 years@Brainware Even now that htmlentities() defaults to UTF-8?
-
kta over 7 yearsthat's the output escaping. User wanted to know input escaping.
-
Sander Visser about 5 years
ENT_QUOTES
only would be enough to escape both double and single. -
ToolmakerSteve about 5 yearsNot clear why this answer specifies
ISO-8859-1
rather than the more commonly used today, default, valueUTF-8
. If in doubt, start with simplerreturn htmlentities($s, ENT_QUOTES);
-
Eric almost 5 years@ToolmakerSteve, why IOS-8859-1 vs UTF-8 because that is what worked and I never tested UTF-8. Welcome some investigation there. Just using ENT_QUOTES does not work for characters with accents and will screw up names.