PHP String htmlspecialchars() Function

The htmlspecialchars() function converts special characters into HTML entities. It is the in-built function of PHP, which converts all pre-defined characters to the HTML entities. The pre-defined characters are:

& (ampersand) converted as &
" (double quote) converted as "
' (single quote) converted as '
< (less than) converted as <
> (greater than) converted as >

There is a string function htmlspecialchars_decode(), which is reverse of the htmlspecialchars() function. The main purpose of htmlspecialchars_decode() function is to convert special HTML entities back to characters. htmlspecialchars() and htmlspecialchars_decode() function are opposite to each other. The syntax of the htmlspecialchars() function is given below:

Syntax:

Parameters

$string: This parameter is contains the input string.

$flags: Basically, this parameter is used to hold the one or more flags from following, which specify how to handle invalid code unit sequences, quotes, and the used document type. ENT_COMPAT | ENT_HTML401 is by default. The available flags constants are given below in the table:

Available flags constants

Constant Name	Description
ENT_IGNORE	It discards invalid code unit sequence instead of returning an empty string.
ENT_QUOTES	It converts both single and double-quotes.
ENT_NOQUOTES	It does not convert any string as it leaves both single and double-quotes unconverted.
ENT_SUBSTITUDE	It replaces invalid code unit sequence with Unicode replacement character U+FFFD (UTF-8) or &#FFFD instead of returning an empty string.
ENT_DISALLOWED	Instead of leaving the invalid code points as it is, it replaces them for the given document type with a Unicode Replacement Character.
ENT_HTML401	It handles code as HTML 4.01 version.
ENT_XML1	It handles code as XML 1.
ENT_XHTML	It handles code as XHTML.
ENT_HTML5	It handles code as HTML5.

$encoding: It is an optional parameter, which defines the encoding which is used when characters are converted. The default value of encoding varies on PHP versions.

In PHP 5.6 and above versions, the default_charset configuration option is used as a default value, whereas PHP 5.4 and 5.5 uses UTF-8.

$double_encode: PHP cannot encode existing HTML entities when the double_encode is turned off. The default is to convert everything.

Description

htmlspecialchars ( string $string [ , int $flags = ENT_COMPAT | ENT_HTML401 [ , string 
$encoding = ini_get ("default_charset") [ , bool $double_encode = TRUE ] ] ] ) : string

There are some characters which have special significance in HTML and must be represented by the HTML entities if they need to preserve their meanings. The htmlspecialchars() function returns a string with these conversions made. If we need all input substrings that have associated named entities to be translated, then use htmlentities() function instead of htmlspecialchars().

Value returned by htmlspecialchars()

It returns converted string, and if the input string is invalid or contains invalid code sequence, then it will return an empty string.

Examples of htmlspecialchars()

Below some example are given for htmlspecialchars() function.

Example 1

<? php
	//string conversion example of htmlspecialchars () function
$str = "This is <i>italic</i> text.";
echo htmlspecialchars($str, ENT_QUOTES); 	//Will convert both single and double-quotes.
?>

Browser Output

The output which is given below is the browser output of the code.

HTML Output

HTML output for the above program will be like-

<DOCTYPE html>
<html>
<body>
This is <i>italic</i> text.
</body>
</html>

HTML output can be seen in the view source file of the browser. Open the Browser -> More tools -> Developer tools-> source, and press Ctrl+P to open view source file.

Example 2

<?php
	$str1= "This is 'PHP' & 'Java' program.";
	echo htmlspecialchars($str1, ENT_COMPAT);	//It will converts only double quotes.
	echo "</br>";
	echo htmlspecialchars($str1, ENT_QUOTES); 	// Converts both double and single quotes
	echo "</br>";
	echo htmlspecialchars($str1, ENT_NOQUOTES); //It will not convert any quotes.
?>

Browser Output

The output which is given below is the browser output of the code.

HTML Output

We can see the HTML output of the above program from view source in the browser, i.e., Browser -> More tools -> Developer tools-> source, and press Ctrl+P to open view source file.

Example 3

<?
	$str=  '"PHP" is much easier than "Java".'. "\n";
	echo htmlspecialchars($str);	//will converts only double quotes.
	echo "</br>";
	echo htmlspecialchars($str, ENT_QUOTES);	//will converts both single and double quotes.
	echo "</br>";
	echo htmlspecialchars($str,  ENT_NOQUOTES);	//will not convert neither single nor double-quotes.
	echo "</br>";

?>

Browser Output

Output on browsers for the above program would be like as given below:

HTML Output

The HTML output for the following program will be shown as in the given screenshot below.

The above example would look in HTML file like -

<DOCTYPE html>
<html>
<body>
       "PHP" is much easier than "Java".
      </br>"PHP" is much easier than "Java".
      </br>"PHP" is much easier than "Java".
      </br>
</body>
</html>

Difference between htmlspecialchars() and htmlentities() function

The only difference between htmlspecialchars() and htmlentities() function is that htmlspecialchars() function converts the special characters to HTML entities, whereas htmlentities() function converts all the applicable characters to html entities.

Next TopicPHP String Functions

← prev next →