Given the following two HTML/PHP snippets:
<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
and
<textarea name="content"><?php echo $_POST['content']; ?></textarea>
what character encoding do I need to use for the echoed $_POST variables? Can I use any built-in PHP functions?
Please assume that the $_POST values have not been encoded at all yet. No magic quotes - no nothing.
Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).
Always escape strings with htmlspecialchars() before showing them to the user.
value='single quotes' This is what happens: value='We're not using this in our "code"...' All you see is We
<input> tags.ENT_QUOTES as the second htmlspecialchars() argument, single quotes will not be escaped. Therefore any single quotes present in your $_POST value will break out of the <input> field.
ENT_QUOTES parameter then single quotes are not escaped. This is not a problem if in the input tag you define the value parameter as value="double quotes". The double quotes are escaped in the user provided string and the part with value="... is provided by the server.htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.
Given it is kind of long, I would put it in a function:
<?php
function encodeValue ($s) {
return htmlentities($s, ENT_COMPAT|ENT_QUOTES, 'ISO-8859-1', true);
}
?>
This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (like in José) instead of inserting an empty string.
Then you can do:
<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />
and
<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>
ENT_QUOTES only would be enough to escape both double and single.
ISO-8859-1 rather than the more commonly used today, default, value UTF-8. If in doubt, start with simpler return htmlentities($s, ENT_QUOTES);
