BestHub
Sign in
Backend Development 4 min read

Using PHP htmlspecialchars() to Escape Special Characters

This article explains the PHP htmlspecialchars() function, its syntax and parameters, demonstrates how to escape special characters, quotes, and specify encoding or disable double‑encoding, and shows how it helps prevent XSS attacks in web applications.

php中文网 Courses
php中文网 Courses
php中文网 Courses
Using PHP htmlspecialchars() to Escape Special Characters

When developing web applications, safely handling user input is essential, and the PHP htmlspecialchars() function is commonly used to escape special characters in strings.

htmlspecialchars() Function Syntax

<code>string htmlspecialchars ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 [, string $encoding = "UTF-8" [, bool $double_encode = true ]]] )</code>

$string : Required. The string to be escaped.

$flags : Optional. Determines how quotes are handled; default is ENT_COMPAT | ENT_HTML401 .

$encoding : Optional. Character encoding, default is "UTF-8".

$double_encode : Optional. Whether to escape already escaped characters; default is true.

The function converts special characters such as &amp; , " , ' , &lt; , and &gt; into their corresponding HTML entities, preventing cross‑site scripting (XSS) attacks.

Example: Escaping Special Characters

<code>$input = '&lt;script&gt;alert("Hello!");&lt;/script&gt;';
$output = htmlspecialchars($input);
echo $output; // Output: &amp;lt;script&amp;gt;alert(&amp;quot;Hello!&amp;quot;);&amp;lt;/script&amp;gt;</code>

This example shows how htmlspecialchars() transforms a script tag into safe HTML entities.

Example: Escaping Quotes with ENT_QUOTES

<code>$input = 'I\'m "John"';
$output = htmlspecialchars($input, ENT_QUOTES);
echo $output; // Output: I&amp;#039;m &amp;quot;John&amp;quot;</code>

Using the ENT_QUOTES flag also escapes both single and double quotes.

Example: Specifying Character Encoding

<code>$input = '中文字符';
$output = htmlspecialchars($input, ENT_QUOTES, 'GBK');
echo $output; // Output: 中文字符</code>

When the specified encoding matches the output environment, no conversion occurs.

Example: Disabling Double Encoding

<code>$input = 'special &amp; character';
$output = htmlspecialchars($input, ENT_QUOTES, 'UTF-8', false);
echo $output; // Output: special &amp;amp; character</code>

Setting $double_encode to false prevents already‑escaped characters from being encoded again.

The htmlspecialchars() function is a widely used PHP tool that helps developers securely process user input, mitigate XSS risks, and ensure the reliability of web applications.

backendPHPXSShtmlspecialcharsstring escaping
php中文网 Courses
Written by

php中文网 Courses

php中文网's platform for the latest courses and technical articles, helping PHP learners advance quickly.

0 followers
Reader feedback

How this landed with the community

login Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment