Sanitising for HTML

$MyString = htmlspecialchars($MyString, ENT_QUOTES);
// '&' (ampersand) becomes '&'
// '"' (double quote) becomes '"'
// "'" (single quote) becomes '''
// '<' (less than) becomes '<'
// '>' (greater than) becomes '>' 
Convert special HTML entities back to characters
$MyString = htmlspecialchars_decode($MyString);

Sanitising for HTML from a form POST

See page here.

URL Encode and Decode

Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. A space is encoded to %20 in URLs, and to + in forms submitted data (content type application/x-www-form-urlencoded).

  $UrlString = urlencode($OriginalString);
  $OriginalString = urldecode($UrlString);
  $MyString = "This is my sample text, with special chars. #%!\"'^-_£&";
  echo "Start string: $MyString<br>";
  $MyString = urlencode($MyString);
  echo "urlencode(): $MyString<br>";
  $MyString = urldecode($MyString);
  echo "urldecode(): $MyString<br>";

  //  Start string: This is my sample text, with special chars. #%!"'^-_£&
  //  urlencode(): This+is+my+sample+text%2C+with+special+chars.+%23%25%21%22%27%5E-_%C2%A3%26
  //  urldecode(): This is my sample text, with special chars. #%!"'^-_£&
If wanting to pass a file url in an argument you can do this
//The HTML Link with the URL argument  
$Url .= '<a href="/my_file?iurl=' . urlencode($MyStringContainingAUrl) . '/" >';    //We add a trailing '/' otherwise a file extension period '.' in $MyStringContainingAUrl buggers up the argument being seen as one and not a file link to the browser
//The page the argument was passed to
$MyStringContainingAUrl .= '<img src="' . rtrim(urldecode($_REQUEST['iurl']), '/') . '" >';      //Remove the trailing '/' that was added to avoid the period breaking the url argument

PHP adds back slash before forward slash

(e.g. / becomes \/ )

It’s a JSON issue. JSON escapes all special characters by default. When decoded, you will get original value back without the backslash. If its causing issues you need to resolve see stripslashes tip about needing to be at final echo here.

General PHP only use

function SanitizeString($var)
	$var = strip_tags($var);
	$var = htmlentities($var);
	return stripslashes($var);
$my_string = stripslashes(htmlentities(strip_tags($my_string)));


htmlentities() converts things like < > ” \ etc into HTML strings like &lt; so they become harmless.

  $CameFromPage = htmlentities($_SERVER['HTTP_REFERER']);

Stopping New Lines In A Text Box Being Converted To <br />

$my_text = mysqli_real_escape_string($dblink, str_replace("\r\n"," ",$_POST['myform_text_field'])); 
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.


Your email address will not be published.