Proper HTML-escaping in PHP


#1

First this isn’t going to be a very long tutorial, for basically it’s to clarify how to escape HTML properly in PHP. I am the first to admit I’m no expert when in comes to this and I have even muddied it myself in the past, for that I apologize. I just want to say it wasn’t my intention to do so. Anyways, the most important thing to remember is to sanitize the output that the users will see on the screen and not the input! I know what you’re thinking, but the data won’t be stored safely in the database if I don’t sanitize it first. You’re right it won’t, but if you escape the data at the input the data will have special characters along with the text that will be stored as well in the database. Normally that is a good thing, but what happens if you want to use Ajax and Javascript? That will just complicate the matters when it comes to the output. As long as you are using prepared statements you won’t have to worry about your database table(s) getting corrupted. So my suggestion is to sanitize the output only using htmlspecialchars or by using a proper template engine such as http://twig.sensiolabs.org/ or Smarty.

If you are doing it yourself you can make HTML-escaping a little less cumbersome by putting a function like this in your configuration file.
[php]function html_escape($raw_input) {
// important! don’t forget to specify ENT_QUOTES and the correct encoding
return htmlspecialchars($raw_input, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML5, ‘UTF-8’);
}[/php]

and an example of how to use:
[php]

<?php echo nl2br(html_escape($row->content)); ?>

[/php]