PHP
PHP introduction
PHP basics
PHP variables
PHP functions
PHP conditions
PHP loops
PHP arrays
PHP OOP
PHP strings
PHP forms
PHP entitites
PHP files
PHP include files
PHP date and time
PHP cookies
PHP databases
PHP sessions
PHP summary

Programming

Programming intro
Java

Markup

First webpage guide
HTML
XHTML

Browser scripting

Javascript
VBScript
AJAX

Server scripting

ASP

Making money online

Make money online

PHP html entities

If you have pages that allow users to submit data that will be displayed, you should look out for potential code injections. This is a security risk that is easy to exploit on an unprotected website. For example, a user can type <script type="text/javascript"></script> into a submission form and have the ability to execute Javascript on your site!

This lesson focuses on:

The htmlentities() function

The htmlentities() function converts HTML into HTML entities. < would become &lt;, and > would become &gt;. By doing so, the browser can't run HTML tags that a malicious user might try to inject.

Example: 

//potential data submitted by a malicious user
$maliciousInput = "<script type="text/javascript>
alert('I am going to inject code! LULZ!')
</script>";

//convert HTML into HTML entities to prevent code injection
$safeInput = htmlentities($maliciousInput);

//now its ok to display the safe code
echo "$safeInput";

Output: 

&lt;script type="text/javascript&gt;
alert('I am going to inject code! LULZ!')
&lt;/script&gt;

If we did not use the htmlentities() function in the above example, the injected code would execute as intended by the malicious user.

Practice

Online code editor
Practical examples
Practical exercises
Step-by-step tutorials

Reference

Terms glossary
Reference material

Rate this site

Rate this site
Visitor comments