htmlspecialchars – PHP String Functions

Syntax :

Description :

htmlspecialchars() function can converts some predefined characters to HTML entities. Here is list of predefined characters.

[table caption=”Predefined Characters List” max-width=”100%” colwidth=”25%|75%” colalign=”left|left”]

• & (ampersand) becomes &
• ” (double quote) becomes "
• ‘ (single quote) becomes '
• < (less than) becomes &gt;
• > (greater than) becomes &gt;

[/table]

Tip: To convert special HTML entities back to characters, use the htmlspecialchars_decode() function.

Parameter :

• strings – This is Required parameter. String which needs to be converted.
• flags – This is an Optional parameter. The default value for flags is ENT_COMPAT | ENT_HTML401. It elaborates how to handle quotes, invalid encoding and the used document type.

[table caption=”List of available flags constants are” max-width=”100%” colwidth=”25%|75%” colalign=”left|left”]

Constant Name, Description
ENT_COMPAT, It will convert double-quotes only.
ENT_QUOTES, It will convert both double and single quotes.
ENT_NOQUOTES, It will not convert both double and single quotes.
ENT_IGNORE, Silently discard invalid code unit sequences instead of returning an empty string. Should not be used to avoid security implications.
ENT_SUBSTITUTE, Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of returning an empty string.
ENT_DISALLOWED, Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or &#FFFD; (otherwise) instead of leaving them as is.
ENT_HTML401, Handle code as HTML 4.01.
ENT_XML1, Handle code as XML 1.
ENT_XHTML, Handle code as XHTML.
ENT_HTML5, Handle code as HTML 5.
[/table]

• encoding/character-set – This is an Optional parameter. It defines which encoding is to be used when converting characters.
  • If omitted, the default value of the encoding varies depending on the PHP version in use. In PHP 5.6 and later, the default_charset configuration option is used as the default value. PHP 5.4 and 5.5 will use UTF-8 as the default. Earlier versions of PHP use ISO-8859-1.Although this argument is technically optional, you are highly encouraged to specify the correct value for your code if you are using PHP 5.5 or earlier, or if your default_charset configuration option may be set incorrectly for the given input.The following character sets are supported:For the purposes of this function, the encodings ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, andKOI8-R are effectively equivalent, provided the string itself is valid for the encoding, as the characters affected by htmlspecialchars() occupy the same positions in all of these encodings.
  • Supported charsets
    [table caption=”List of Supported charsets are” max-width=”100%” colwidth=”25%|75%” colalign=”left|left”]
    Charset Aliases, Description
    ISO-8859-1,Western European Latin-1.
    ISO-8859-5 , Little used cyrillic charset (Latin/Cyrillic).
    ISO-8859-15 , Western European,
    UTF-8, ASCII compatible multi-byte 8-bit Unicode.
    cp866 ibm866, DOS-specific Cyrillic charset.
    cp1251 , Windows-specific Cyrillic charset.
    cp1252 , Windows specific charset for Western European.
    KOI8-R,  Russian.
    BIG5 950, Traditional Chinese. mainly used in Taiwan.
    GB2312 936, Simplified Chinese. national standard character set.
    BIG5-HKSCS , with Hong Kong extensions. Traditional Chinese.
    Shift_JIS , Japanese
    EUC-JP , Japanese
    MacRoman Charset, that was used by Mac OS.
    [/table]
    ” An empty string activates detection from script encoding (Zend multibyte), default_charset and current locale (see nl_langinfo() and setlocale()), in this order. Not recommended.
    Note: Any other character sets are not recognized. The default encoding will be used instead and a warning will be emitted.
• double_encode – This is an Optional parameter. When double_encode is turned off PHP will not encode existing html entities. The default is to convert everything.  A boolean value that specifies whether to encode existing html entities or not.
  TRUE – Default. Will convert everything
  FALSE – Will not encode existing html entities

Output :

This will return a converted string.

ChangeLog :

[table caption=”ChangeLog ” width=”100%” colwidth=”25%|75%” colalign=”left|left”]
Version, Description
5.6.0, The default value for the encoding parameter was changed to be the value of the default_charset configuration option.
5.4.0, The default value for the encoding parameter was changed to UTF-8.
5.3.0, The constant ENT_IGNORE was added.
5.2.3, The double_encode parameter was added.
[/table]

Related articles : get_html_translation_table(), htmlentities(), html_entity_decode().

htmlspecialchars() – PHP Functions Example 1 :

<?php
$strExample = '<a href="http://www.tutorialmines.net">Click to go tutorialmines</a>';
echo htmlspecialchars($strExample);
echo "<br />";
$strExample1 = '<b><i>www.tutorialmines.net. I am bold and italic.</i></b>';
echo htmlspecialchars($strExample1);
?>

In above example ,We have a string ‘<a href=”http://www.tutorialmines.net”>Click to go tutorialmines</a>’; and string ‘<b><i>www.tutorialmines.net. I am bold and italic.</i></b>’;. Now see how the functions htmlspecialchars() will convert them in the HTML view source of the page .

See below is the HTML output of above code view source of browser :

<!DOCTYPE html>
<html>
<body>
&lt;a href=&quot;http://www.tutorialmines.net&quot;&gt;Click to go tutorialmines&lt;/a&gt;<br />
&lt;b&gt;&lt;i&gt;www.tutorialmines.net. I am bold and italic.&lt;/i&gt;&lt;/b&gt;

</body>
</html>

See below is the output of above code in web browser :

htmlspecialchars() – PHP Functions Example 2 :

This example will show the use of different flags constants in htmlspecialchars() function. We are taking single and double quotes in this example and see how this function behaves when constant flags are used –

<?php
$str = "\"He said, 'You can learn PHP here' \"";
echo htmlspecialchars($str, ENT_COMPAT); // This will only convert double quotes
echo "<br/>";
echo htmlspecialchars($str, ENT_QUOTES); // This will converts double and single quotes
echo "<br/>";
echo htmlspecialchars($str, ENT_NOQUOTES); // This will not convert any quotes
?> 

See below is the HTML output of above code i.e. View Source in Web browser.

<!DOCTYPE html>
<html>
<body>
&quot;He said, 'You can learn PHP here' &quot;<br/>
&quot;He said, &#039;You can learn PHP here&#039; &quot;<br/>
"He said, 'You can learn PHP here' " 
</body>
</html>

See below is the output of above code in Web browser.

htmlspecialchars() – PHP Functions Example 3 :

Convert some characters to HTML entities using the Western European character-set :

<?php
$str = "Bonjour chers visiteurs ! <br />
N\'hésitez pas à nous contacter pour tous vos projets ou questions concernant - <br />
Développement web <br />
Web Designing <br />
Services de référencement <br />
Google Classement de la page <br />
Développement d\'applications Android.";
echo htmlspecialchars($str, ENT_QUOTES, "UTF-8"); // Will only convert double quotes (not single quotes), and uses the character-set Western European
?>

See below is the HTML output of above code i.e. View Source in Web browser.

<!DOCTYPE html>
<html>
<body>

Bonjour chers visiteurs ! &lt;br /&gt;
N&#039;hésitez pas à nous contacter pour tous vos projets ou questions concernant - &lt;br /&gt;
Développement web &lt;br /&gt;
Web Designing &lt;br /&gt;
Services de référencement &lt;br /&gt;
Google Classement de la page &lt;br /&gt;
Développement d&#039;applications Android.
</body>
</html

See below is the output of above code in Web browser.

Q – What are the differences between htmlspecialchars() and htmlentities(). When should I use one or the other? When to use htmlspecialchars() or htmlentities()?

A – htmlspecialchars () does the minimum amount of encoding, which ensure that our string is not parsed as HTML. Which results in that our string is more human-readable than it would be if you used htmlentities () to encode absolutely everything that has an encoding.

When there is no need to encode all characters which have their HTML equivalents. use htmlspecialchars ().

htmlspecialchars is much straightforward, and produce less code to send to the client.