Given the following two HTML/PHP snippets:
<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
and
<textarea name="content"><?php echo $_POST['content']; ?></textarea>
what character encoding do I need to use for the echoed $_POST
variables? Can I use any built-in PHP functions?
Please assume that the $_POST
values have not been encoded at all yet. No magic quotes – no nothing.
Advertisement
Answer
Use htmlspecialchars($_POST['firstname'])
and htmlspecialchars($_POST['content'])
.
Always escape strings with htmlspecialchars()
before showing them to the user.