Hello, I am working with a form that will show the user what they entered into a form the exact way they made it. But I know it can contain characters such as:
<,>,",’,;,:,/,,},{,),(,$,etc
I know some of the characters can cause breaks, exploits, etc in PHP. So I am wondering how I can completely secure this form and make it echo all the exact text as it should be. Any ideas? Thanks!
Hi,
They can cause breaks or exploits?
How so?
If you keep your data and your scripts apart ( you don’t ever use ‘eval’, never use SQL-queries send via a form and never allow scripts to save ‘.php’ files in the directories where the PHP-engine can be told to run them, you should be quite safe )
For escaping characters that can foul up the HTML you can use either one of the following functions:
[ul][li]htmlentities[/li]
[li]htmlspecialchars[/li][/ul]
The second is basically a subset of the first.
So echoing back to the users what they sent to the server is as simple as:
[php]
$value = $_POST[‘some_field’];
$escapedValue = htmlspecialchars( $value );
// $escapedValue = htmlentities( $value ); // uncomment when you want to use this one. Comment the
// previous one otherwise you’ll get escaped escapecodes
echo $escapedValue;
[/php]
Is that what you were looking for?
Good luck 
O.
Sort of, yes, but I am also looking for how to secure the PHP of echoing it. So if the user inserts a quotation, it doesnt show up as “Some quote here”! Any idea on how to fix this when echoing it back?