{"id":1524,"date":"2021-05-08T02:36:22","date_gmt":"2021-05-08T02:36:22","guid":{"rendered":"https:\/\/phptutorial.net\/?page_id=1524"},"modified":"2025-04-07T12:49:27","modified_gmt":"2025-04-07T12:49:27","slug":"php-htmlspecialchars","status":"publish","type":"page","link":"https:\/\/www.phptutorial.net\/php-tutorial\/php-htmlspecialchars\/","title":{"rendered":"PHP htmlspecialchars Function"},"content":{"rendered":"\n<p><strong>Summary<\/strong>: in this tutorial, you&#8217;ll learn how to use the PHP <code>htmlspecialchars()<\/code> function to prevent XSS attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id='what-is-xss'>What Is XSS? <a href=\"#what-is-xss\" class=\"anchor\" id=\"what-is-xss\" title=\"Anchor for What Is XSS?\">#<\/a><\/h2>\n\n\n\n<p>XSS stands for cross-site scripting. It&#8217;s a kind of attack where a hacker injects malicious client code into a web page&#8217;s output.<\/p>\n\n\n\n<p>For example, if you have a form that allows users to submit comments and display them on the page. If you display the comments without any processing, your page is vulnerable to the XSS attack.<\/p>\n\n\n\n<p>A hacker may submit a comment with <a href=\"https:\/\/www.javascripttutorial.net\/javascript-bom\/javascript-redirect\/\" target=\"_blank\" rel=\"noreferrer noopener\">JavaScript code that redirects<\/a> users to a malicious website. For example:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">&lt;script&gt;location.replace(<span class=\"hljs-string\">'&lt;malicious website url&gt;'<\/span>);&lt;\/script&gt;<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>This comment contains a JavaScript code that redirects the users to a malicious website.<\/p>\n\n\n\n<p>If you <a href=\"https:\/\/phptutorial.net\/php-pdo\/php-pdo-insert\/\">store this comment in the database<\/a> and display it in the comments section. When legitimate users visit the page, the JavaScript code will execute and redirect the users to the malicious website.<\/p>\n\n\n\n<p>To prevent XSS attacks, you should always escape the string from unknown sources such as user inputs. To escape a string for output, you use the <code>htmlspecialchars()<\/code> function.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id='introduction-to-the-php-htmlspecialchars-function'>Introduction to the PHP htmlspecialchars() function <a href=\"#introduction-to-the-php-htmlspecialchars-function\" class=\"anchor\" id=\"introduction-to-the-php-htmlspecialchars-function\" title=\"Anchor for Introduction to the PHP htmlspecialchars() function\">#<\/a><\/h2>\n\n\n\n<p>The <code>htmlspecialchars()<\/code> function accepts an input string (<code>$string<\/code>) and returns the new string with the special characters converted into HTML entities.<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">htmlspecialchars ( \n    string $string , \n    int $flags = ENT_COMPAT , \n    string|<span class=\"hljs-keyword\">null<\/span> $encoding = <span class=\"hljs-keyword\">null<\/span> , \n    bool $double_encode = <span class=\"hljs-keyword\">true<\/span> \n) : string<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>The function accepts four parameters:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>$string<\/code> &#8211; The input string you want to escape.<\/li>\n\n\n\n<li><code>$flag<\/code>  &#8211; A bitmask of one or more flags that controls how the function handles the special characters.<\/li>\n\n\n\n<li><code>$encoding<\/code> &#8211; The encoding that the function will use when converting characters.<\/li>\n\n\n\n<li><code>$double_encode<\/code> &#8211; If false, the function will not encode existing HTML entities. The default is convert every HTML entities.<\/li>\n<\/ul>\n\n\n\n<p>The following table shows the special characters that the <code>htmlspecialchars()<\/code> function will convert to HTML entities:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><thead><tr><th>Character<\/th><th>Name<\/th><th>Replacement<\/th><\/tr><\/thead><tbody><tr><td><code>&amp;<\/code><\/td><td>Ampersand<\/td><td><code>&amp;amp;<\/code><\/td><\/tr><tr><td><code>\"<\/code><\/td><td>Double quote<\/td><td><code>&amp;quot;<\/code>, unless&nbsp;<strong><code>ENT_NOQUOTES<\/code><\/strong>&nbsp;is set<\/td><\/tr><tr><td><code>'<\/code><\/td><td>Single quote<\/td><td><code>&amp;#039;<\/code>&nbsp;(for&nbsp;<strong><code>ENT_HTML401<\/code><\/strong> flag) or&nbsp;<code>&amp;apos;<\/code>&nbsp;(for&nbsp;<strong><code>ENT_XML1<\/code><\/strong>,&nbsp;<strong><code>ENT_XHTML<\/code><\/strong>&nbsp;or&nbsp;<strong><code>ENT_HTML5<\/code><\/strong> flag), but only when&nbsp;<strong><code>ENT_QUOTES<\/code><\/strong>&nbsp;flag is set<\/td><\/tr><tr><td><code>&lt;<\/code><\/td><td>Less than<\/td><td><code>&amp;lt;<\/code><\/td><\/tr><tr><td><code>&gt;<\/code><\/td><td>Greater than<\/td><td><code>&amp;gt;<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id='php-htmlspecialchars-function-example'>PHP htmlspecialchars() function example <a href=\"#php-htmlspecialchars-function-example\" class=\"anchor\" id=\"php-htmlspecialchars-function-example\" title=\"Anchor for PHP htmlspecialchars() function example\">#<\/a><\/h2>\n\n\n\n<p>The following example shows how to display a string on a page without escaping:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-meta\">&lt;?php<\/span>\n\n$comment = <span class=\"hljs-string\">\"&lt;script&gt;alert('Hello there');&lt;\/script&gt;\"<\/span>;\n<span class=\"hljs-keyword\">echo<\/span> $comment;<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>If you run the code on a web browser, you&#8217;ll see an <a href=\"https:\/\/www.javascripttutorial.net\/javascript-bom\/javascript-alert\/\" target=\"_blank\" rel=\"noreferrer noopener\">alert<\/a> message.<\/p>\n\n\n\n<p>To escape the <code>$comment<\/code> string, you use the <code>htmlspecialchars()<\/code> function as follows:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-meta\">&lt;?php<\/span>\n\n$comment = <span class=\"hljs-string\">'&lt;script&gt;alert(\"Hello there\");&lt;\/script&gt;'<\/span>;\n<span class=\"hljs-keyword\">echo<\/span> htmlspecialchars($comment);<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><a href=\"https:\/\/phptutorial.net\/playground\/?q=PD9waHAKCiRjb21tZW50ID0gJzxzY3JpcHQ-YWxlcnQoIkhlbGxvIHRoZXJlIik7PC9zY3JpcHQ-JzsKZWNobyBodG1sc3BlY2lhbGNoYXJzKCRjb21tZW50KTs\" target=\"_blank\" rel=\"noreferrer noopener\">Try it<\/a><\/p>\n\n\n\n<p>Now, you&#8217;ll see the following string on the webpage instead:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">&lt;script&gt;alert(<span class=\"hljs-string\">\"Hello there\"<\/span>);&lt;\/script&gt;<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>The <code>htmlspecialchars<\/code> function converts the <code>$comments<\/code> to the following:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">&amp;lt;script&amp;gt;alert(&amp;quot;Hello there&amp;quot;);&amp;lt;\/script&amp;gt;<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<h2 class=\"wp-block-heading\" id='summary'>Summary <a href=\"#summary\" class=\"anchor\" id=\"summary\" title=\"Anchor for Summary\">#<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>XSS stands for cross-site scripting, which is a type of attack that a hacker injects malicious client code into a web page&#8217;s output.<\/li>\n\n\n\n<li>Use the PHP <code>htmlspecialchars()<\/code> function to convert special characters to HTML entities.<\/li>\n\n\n\n<li>Always escape a string before displaying it on a webpage using the <code>htmlspecialchars()<\/code> function to prevent XSS attacks.<\/li>\n<\/ul>\n<div class=\"helpful-block-content\" data-title=\"\">\n\t<header>\n\t\t<div class=\"wth-question\">Did you find this tutorial useful?<\/div>\n\t\t<div class=\"wth-thumbs\">\n\t\t\t<button\n\t\t\t\tdata-post=\"1524\"\n\t\t\t\tdata-post-url=\"https:\/\/www.phptutorial.net\/php-tutorial\/php-htmlspecialchars\/\"\n\t\t\t\tdata-post-title=\"PHP htmlspecialchars Function\"\n\t\t\t\tdata-response=\"1\"\n\t\t\t\tclass=\"wth-btn-rounded wth-yes-btn\"\n\t\t\t>\n\t\t\t\t<svg\n\t\t\t\t\txmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\tfill=\"none\"\n\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\tstroke-width=\"2\"\n\t\t\t\t\tstroke-linecap=\"round\"\n\t\t\t\t\tstroke-linejoin=\"round\"\n\t\t\t\t\tclass=\"feather feather-thumbs-up block w-full h-full\"\n\t\t\t\t>\n\t\t\t\t\t<path\n\t\t\t\t\t\td=\"M14 9V5a3 3 0 0 0-3-3l-4 9v11h11.28a2 2 0 0 0 2-1.7l1.38-9a2 2 0 0 0-2-2.3zM7 22H4a2 2 0 0 1-2-2v-7a2 2 0 0 1 2-2h3\"\n\t\t\t\t\t><\/path>\n\t\t\t\t<\/svg>\n\t\t\t\t<span class=\"sr-only\"> Yes <\/span>\n\t\t\t<\/button>\n\n\t\t\t<button\n\t\t\t\tdata-response=\"0\"\n\t\t\t\tdata-post=\"1524\"\n\t\t\t\tdata-post-url=\"https:\/\/www.phptutorial.net\/php-tutorial\/php-htmlspecialchars\/\"\n\t\t\t\tdata-post-title=\"PHP htmlspecialchars Function\"\n\t\t\t\tclass=\"wth-btn-rounded wth-no-btn\"\n\t\t\t>\n\t\t\t\t<svg\n\t\t\t\t\txmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\tfill=\"none\"\n\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\tstroke-width=\"2\"\n\t\t\t\t\tstroke-linecap=\"round\"\n\t\t\t\t\tstroke-linejoin=\"round\"\n\t\t\t\t>\n\t\t\t\t\t<path\n\t\t\t\t\t\td=\"M10 15v4a3 3 0 0 0 3 3l4-9V2H5.72a2 2 0 0 0-2 1.7l-1.38 9a2 2 0 0 0 2 2.3zm7-13h2.67A2.31 2.31 0 0 1 22 4v7a2.31 2.31 0 0 1-2.33 2H17\"\n\t\t\t\t\t><\/path>\n\t\t\t\t<\/svg>\n\t\t\t\t<span class=\"sr-only\"> No <\/span>\n\t\t\t<\/button>\n\t\t<\/div>\n\t<\/header>\n\n\t<div class=\"wth-form hidden\">\n\t\t<div class=\"wth-form-wrapper\">\n\t\t\t<div class=\"wth-title\"><\/div>\n\t\t\t\n\t\t\t<textarea class=\"wth-message\"><\/textarea>\n\n\t\t\t<button class=\"btn btn-primary wth-btn-submit\">Send<\/button>\n\t\t\t<button class=\"btn wth-btn-cancel\">Cancel<\/button>\n\t\t\n\t\t<\/div>\n\t<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you&#8217;ll learn how to use the PHP htmlspecialchars() function to prevent XSS attacks.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":15,"menu_order":116,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1524","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1524","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/comments?post=1524"}],"version-history":[{"count":5,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1524\/revisions"}],"predecessor-version":[{"id":3256,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1524\/revisions\/3256"}],"up":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/15"}],"wp:attachment":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/media?parent=1524"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}