1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:27 am Apr 29, 2026

Forum Moderators: coopster

Message Too Old, No Replies

htmlentities(urlencode($userinput)) overkill?

         

Cook

3:21 am on Oct 14, 2004 (gmt 0)

10+ Year Member



Hi,

PHP manual recommends the following to encode URLs:

<?php
echo '<a href="mycgi?foo=', htmlentities(urlencode($userinput)), '">';
?>

However this makes little sense to me as urlencode converts everything but -_ to %xx, and % has no equivalent html entity. So htmlentities() will not transform anything in urlencode($userinput).

It would makes sense in this case:

<?php
echo '<a href="mycgi?foo=', htmlentities(urlencode($userinput_1) . '&' . urlencode($userinput_2)), '">';
?>

Then htmlentities is useful as the & get translated into its &amp; entity.

Or am I missing something?

Thanks for your comments.
Cheers,
Cook

mincklerstraat

9:18 am on Oct 14, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I have only used urlencode and htmlentites separately - if I use the one, I don't use the other - I also usually use htmlspecialchars instead of htmlentites, since this seems sufficient. Yes, it looks to me like overkill, maybe a bit of security overzealousness. I have never really researched this, but I just don't see what could come through once something has been urlencoded that could be a security liability.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 1:27 am Apr 29, 2026