How to properly escape html form input default values in php?

php html forms xss
Ryan picture Ryan · Jun 6, 2011 · Viewed 97.3k times · Source

Given the following two html/php snippets:

<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />

and

<textarea name="content"><?php echo $_POST['content']; ?></textarea>

what character encoding do I need to use for the echoed $_POST variables? Can I use any built in PHP functions? Please assume that the $_POST values have not been encoded at all yet. No magic quotes no nothing.

Answer

rid picture rid · Jun 6, 2011

Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).

Always escape strings with htmlspecialchars() before showing them to the user.

Related questions

How to read if a checkbox is checked in PHP?

How to read if a checkbox is checked in PHP?

Read More
Get $_POST from multiple checkboxes

I have 1 form in with multiple checkboxes in it (each with the code): <input type="checkbox" name="check_list" value="<? echo $row['Report ID'] ?>"> Where $row['Report ID'] is a primary key in a database -so …

Read More
How to prevent form resubmission when page is refreshed (F5 / CTRL+R)

I have a simple form that submits text to my SQL table. The problem is that after the user submits the text, they can refresh the page and the data gets submitted again without filling the form again. I could …

Read More