htmlentities() vs. htmlspecialchars()

From the PHP documentation for htmlentities:

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

From the PHP documentation for htmlspecialchars:

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead.

The difference is what gets encoded. The choices are everything (entities) or “special” characters, like ampersand, double and single quotes, less than, and greater than (specialchars).

I prefer to use htmlspecialchars whenever possible.

For example:

    echo htmlentities('<Il était une fois un être>.');
    // Output: &lt;Il &eacute;tait une fois un &ecirc;tre&gt;.
    //                ^^^^^^^^                 ^^^^^^^

    echo htmlspecialchars('<Il était une fois un être>.');
    // Output: &lt;Il était une fois un être&gt;.
    //                ^                 ^

Leave a Comment

tech