htmlentities()

Bananna man · 29-01-2007 3:12pm #1

Hi,

I have been told to use the php function htmlentities() on my site where people can input text in a textfield for security reasons. I have the code as follows but it doesnt seem to be doing anything:

$my_league_name = $_POST;
$league_name = htmlentities($my_league_name);

if i enter $my_league_name as <h1>hello</h1> $league_name is still echoing as <h1>hello</h1>. Should this not be replacing the html tags?

Thanks

daymobrew · 29-01-2007 3:56pm

Maybe the browser is converting the items back to look like HTML.
Write the returned string to a text file and see what it looks like.

Bananna man · 29-01-2007 6:14pm

daymobrew wrote:

Maybe the browser is converting the items back to look like HTML.
Write the returned string to a text file and see what it looks like.

Thanks, thats what was going on. When i view the info in my database its being stored with the html converted.

Are my scripts still open to people trying to redefine my variables if they try inputting new variables in the textfields?

daymobrew · 30-01-2007 1:48am

Bananna man wrote:

Are my scripts still open to people trying to redefine my variables if they try inputting new variables in the textfields?

I don't understand your question.

If possible, you should do a regular expression check on the entered data, to ensure that it matches the format you expect e.g. for an age request, ensure that you get reasonable numbers.

htmlentities()

Comments