1. PHP intro
  2. PHP basics
  3. PHP variables
  4. PHP functions
  5. PHP conditions
  6. PHP loops
  7. PHP arrays
  8. PHP classes & objects
  9. PHP strings
  10. PHP forms
  11. PHP entities
  12. PHP files
  13. PHP include files
  14. PHP date & time
  15. PHP cookies
  16. PHP databases
  17. PHP sessions
  18. PHP summary

PHP html entities

If you have pages that allow users to submit data that will be displayed, you should look out for potential code injections. This is a security risk that is easy to exploit on an unprotected website. For example, a user can type <script type="text/javascript"></script> into a submission form and have the ability to execute Javascript on your site!

This tutorial focuses on:

The htmlentities() function

The htmlentities() function converts HTML into HTML entities. < would become &lt;, and > would become &gt;. By doing so, the browser can't run HTML tags that a malicious user might try to inject.

//data submitted by a malicious user $maliciousInput = "<script type="text/javascript> alert('I am going to inject code! LULZ!') </script>"; //convert HTML into HTML entities to prevent code injection $safeInput = htmlentities($maliciousInput); //now its ok to display it echo "$safeInput";
&lt;script type="text/javascript&gt; alert('I am going to inject code! LULZ!') &lt;/script&gt;

If we did not use the htmlentities() function in the above example, the injected code would execute as intended by the malicious user.

© Copyright 2013-2014
Terms of use | Privacy policy | Copyright information