I've been at this for hours and can't seem to get anywhere.
I'm using XAMPP for Apache 2.0, PHP 5.5, Chrome and using Netbeans for my editor.
I have an input text box which I want to validate before I use it to search a MYSQL database. I use POST to get the input.
The input I'm using is "x/65!!!"how to
$searchtext = $_POST['searchbox'];
echo "<br />" . htmlspecialchars($searchtext);
echo "<br />htmlentitites: " . $searchtext;
echo "<br />strip slashes : " . stripslashes($searchtext);
echo "<br />internal encoding is: " . mb_internal_encoding();
and my result is:
for htmlspecialchars -> "x/65!!!"how to<b> //why isn't the <b> removed?
for htmlentities -> "x/65!!!"how to //shouldn't the forward slash be stripped out?
for stripslashes -> "x/65!!!"how to //shouldn't the '/' be stripped out?
for mb_internal_encoding-> ISO-8859-1 //My php.ini has UTF-8 as the default, I have meta content-type charset="UTF=8" and I though php 5.5 defaulted to UTF8
I'm copying from the PHP manual but I'm not getting their results. I suspect it's charset related but I'm not sure where to look anymore.
****Comments********
Jeff,
I changed the spelling of entities and used this string: <b>"'This \!'": /I
This is what I get with htmlspecialchars: "'This !'": /I and yes, everything is bold. All of my output is bold and I do not get any of
the escape chars showing: ""<>
Funny thing is though when I echo $_POST['searchbox']; It comes up without the but in bold nevertheless.
My mb_internal_encoding() is ISO-8859-1 even though on the beginning of the page I have a meta statement setting it to UTF-8 and for PHP I made the default UTF-8 by removing the semicolon.
I'm beginning to think my PHP interpreter is broken. I'll have to look at XAMPP to see what their recent version is.
I think you might be confusing the differences between what these functions do for the source output as opposed to how the browser renders output of that source. make sure you are comparing what you see on screen in the browser with what is shown in the browser's source. you can view the html source code in most popular browsers by pressing ctrl + U or here's a reference for how to do it in a few others.
for htmlspecialchars ->
x/65!!!"how to<b>//why isn't the<b>removed?
htmlspecialchars doesn't remove anything, it simply converts certain html characters into their html entity encoding format. So it's translated <b> into the html entity <b>, which renders on the page as <b>. If you look at your source code, it's actually <br />"x/65!!!"how to<b>. Otherwise, you wouldn't be able to see the <b> on screen because it would be interpreted by the browser as an opening bold tag making all your following text bold. this is also why it's not visible in your question because you didn't escape it for the markdown.
for htmlentities ->
x/65!!!"how to<b>//shouldn't the forward slash be stripped out?
a couple problems here:
of no real consequence, but I just wanted to point out that you spelled it wrong htmlentitites != htmlentities in your echo statement.
you didn't actually use the htmlentities function in your code:
echo "<br />htmlentitites: " . $searchtext;
in order to actually use it, wrap your variable:
echo "<br />htmlentitites: " . htmlentities($searchtext);
coincidentally enough, even if you had used it, it wouldn't have been escaped because regular old forward slash / is not an html character entity, although it does look very similar to the fractional slash ⁄, which would be encoded as ⁄
for stripslashes ->
x/65!!!"how to<b>//shouldn't the/be stripped out?
stripslashes only removes backslashes \, and not forward slashses /. I think it should have been called stripbackslashes, but they didn't ask me :)
for mb_internal_encoding-> ISO-8859-1 //My php.ini has UTF-8 as the default, I have meta content-type charset="UTF=8" and I though php 5.5 defaulted to UTF8
I'm not very familiar with this one, but I can tell you that the default is not UTF-8, but is ISO-8859-1. are you sure that My php.ini has UTF-8 as the default? Because my php.ini has a line that looks like this: ;mbstring.internal_encoding = UTF-8 and you should note the semicolon ; at the beginning means it's commented out. you would have to delete that semicolon, and restart the web server to have it take effect.
as for your meta statement setting it to UTF-8, I assume you mean you've added an html meta tag that looks something like <meta charset="UTF-8">. this only applies to the html output signaling to browsers what character set to expect, and doesn't have any effect on your internal server settings.