Search code examples
phphtmlspecialchars

Htmlspecialchars ENT_NOQUOTES not working?

I'm trying to output the name of a project i.e. "David's Project" in a form, if a user does not correctly input all data in the form, to save the user having to input the name again.

If I var_dump $name I see David's project. But if I echo $name I see David"&#39" Project. I realise that ' (single quote) becomes "&#039"; but I have tried using ENT_NOQUOTES and ENT_COMPAT to avoid encoding the single quote but neither works.

$name = trim(filter_input(INPUT_POST, 'name0', FILTER_SANITIZE_STRING));

<form method="post" class="form" />
Title: <input type="text" name="name0" value="<?php echo 
htmlspecialchars($name, ENT_NOQUOTES); ?>">

Am I doing something wrong or should the ENT_NOQUOTES work? I tried using str_replace to replace with ' with an \' but this didn't work either.

The only way round this I have found is to use this:

htmlspecialchars_decode(htmlspecialchars($name, ENT_NOQUOTES));

Is that acceptable?

Sorry I realise this is probably a really stupid question but I just can't get my head around it.

Thanks for any replies.

Solution

  • You can accept a simple answer if it solves your problem BUT you should really understand that what you have delved into is a much larger issue you or someone has created for you.

    1. Databases should not contain HTML encoded characters unless they are specifically meant for storing HTML. I highly doubt this is the case as it very rarely is.
    2. Someone is inserting HTML into your database (html encoding data on insert). This means if you ever want to use a mobile app that is not HTML based, or a command line, or anything at all that might use the data and isn't HTML based, you are going to run into a weird problem where the HTML encoded characters have to be removed on output. This is typically kind of the backwards way to do it and can often cause issues.
    3. You rarely need to "sanitize" your inputs. If anything, you should reject input that is not allowed OR simply escape it in the proper way while inserting it into the database. Sanitizing is only a thing in very special circumstances, which you don't appear to have right now. You're simply inputting and outputting text.
    4. You should pretty much never change users input

    My suggestion, if possible, is to fix your INSERT code first so it isn't html encoding data. This html encoding should happen when you output the data TO AN HTML FORMAT. You would use htmlspecialchars() to do this.