On Jan 23, 2008 1:43 PM, John Campbell <[EMAIL PROTECTED]> wrote: > Also, why are you using htmlhentities? It is a useless function. If > you want to escape html, the correct function is htmlspecialchars. > Htmlentities should never be used... it is slower, adds no security > benefit, and it unnecessarily makes the data unreadable.
Interesting advice. The difference between them is that htmlentities() escapes everything, whereas htmlspecialchars() only escapes &, ", ', <, and >. So what you're saying is that if an em dash or a smart quote or a multibyte character exists in the content, it should be delivered to the browser unescaped--or at least, there's no benefit to escaping it. Do your pages validate? What happens in browsers that don't support the characters you're sending? What happens in systems (such as RSS feed processors) that don't support multibyte characters? You may be right, and the use of htmlentities() may be old school, like using web-safe colors. But if so it's not exactly conventional wisdom, yet. -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
