htmlspecialchars()
Published the 2019-06-01
From the [PHP documentation](https://www.php.net/manual/en/function.htmlspecialchars.php),
it converts special characters to HTML entities.
## Bad idea: Using `htmlspecialchars` for "clearing" input
This method is made to transform HTML-related characters to their HTML entity
counterparts, *not* to "clean" data before a save operation, e.g. a SQL
`INSERT` ([1](https://www.artemix.org/blog/dynamic-data-and-sql-statements)).
We see a lot of `htmlspecialchars` usage for saving data into a database,
which is definitely not a good thing.
```php
query("SELECT * FROM users WHERE username = '$username';");
```
Not only this won't properly prevent SQL injections, but you'll also end up
modifying the data in a non-reversible way.
You *cannot* revert back the data to "not HTML special chars" in a reliable way.
This means that, by using `htmlspecialchars` here, you can't provide any "edit"
system, as you won't be able to allow the user to edit the *original* message.
## Good idea: Using `htmlspecialchars` to sanitize user-generated content
As said before, this method is made to be used when outputting content to a
page.
It's tasked with replacing any HTML-related character with their HTML entity
counterpart.
For example, if you have a forum or a comment space, you can use this method to
avoid [XSS](https://en.wikipedia.org/wiki/Cross-site_scripting) flaws.
```php
to test XSS';
?>
// ...
= htmlspecialchars($comment); ?>
```