0
0
PhpHow-ToBeginner · 3 min read

How to Use htmlspecialchars in PHP: Simple Guide

Use htmlspecialchars in PHP to convert special characters to HTML entities, preventing them from being interpreted as HTML code. This helps protect your web pages from security issues like cross-site scripting (XSS). Simply pass the string you want to escape as the first argument to htmlspecialchars.
📐

Syntax

The htmlspecialchars function converts special characters to HTML entities to prevent them from being treated as HTML code. It takes these main parameters:

  • string $string: The text to convert.
  • int $flags (optional): Controls how quotes and other characters are handled.
  • string $encoding (optional): Character encoding, usually UTF-8.
  • bool $double_encode (optional): Whether to convert existing HTML entities again.
php
string htmlspecialchars ( string $string , int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401 , string $encoding = 'UTF-8' , bool $double_encode = true )
💻

Example

This example shows how htmlspecialchars converts special characters like <, >, and quotes into safe HTML entities so they display correctly on a web page.

php
<?php
$input = '<a href="test">Test & Check</a>';
$safe = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
echo $safe;
?>
Output
&lt;a href=&quot;test&quot;&gt;Test &amp; Check&lt;/a&gt;
⚠️

Common Pitfalls

Common mistakes when using htmlspecialchars include:

  • Not specifying ENT_QUOTES flag, so single quotes are not converted.
  • Forgetting to set the correct character encoding, which can cause issues with special characters.
  • Double encoding already escaped entities, which can break HTML display.

Always use ENT_QUOTES and specify UTF-8 encoding to avoid these problems.

php
<?php
// Wrong: missing ENT_QUOTES, single quotes not escaped
$input = "O'Reilly & Co.";
echo htmlspecialchars($input);

// Right: use ENT_QUOTES to escape single and double quotes
echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
?>
Output
O'Reilly &amp; Co.O&#039;Reilly &amp; Co.
📊

Quick Reference

ParameterDescriptionDefault
stringThe input string to convertRequired
flagsControls which characters are converted (e.g., ENT_QUOTES)ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401
encodingCharacter encoding of the stringUTF-8
double_encodeWhether to convert existing HTML entities againtrue

Key Takeaways

Use htmlspecialchars to safely display user input in HTML and prevent XSS attacks.
Always include ENT_QUOTES flag to convert both single and double quotes.
Specify UTF-8 encoding to handle special characters correctly.
Avoid double encoding by setting the double_encode parameter when needed.
htmlspecialchars only escapes special HTML characters, not full HTML sanitization.

Related by keyword

How to Install PHP on Mac: Simple Step-by-Step GuideGetting StartedHow to Run PHP from Command Line: Simple GuideGetting StartedHow to Check Data Type in PHP: Simple GuideVariables and Data TypesHow to Take Input in PHP: Simple Guide with ExamplesVariables and Data TypesHow to Use Arithmetic Operators in PHP: Simple GuideOperators

Up next

What is Error Reporting in PHP: Explanation and ExampleError vs Exception in PHP: Key Differences and UsageHow to Create Namespace in PHP: Syntax and ExamplesHow to Use Alias in Namespace PHP: Simple Guide

More in Security

How to Hash Password in PHP Securely with password_hash()How to Prevent CSRF in PHP: Simple and Effective MethodsHow to Prevent File Upload Vulnerabilities in PHP SecurelyHow to Prevent SQL Injection in PHP: Secure Your Database