How to Use htmlspecialchars() Function in PHP 8.1 and 8.2 with Example?

Support PHP Version: PHP 7.1, PHP 7.2, PHP 7.3, PHP 7.4, PHP 8.0, PHP 8.1, PHP 8.2, PHP 8.3 With Latest All Version Support.

In PHP, the `htmlspecialchars()` function is used to convert special characters to HTML entities. This is particularly useful when you want to output user-generated content on a webpage to prevent cross-site scripting (XSS) attacks. The function has been available in PHP for quite some time and remains relevant in PHP 8.1 and 8.2. Here’s how you can use it with examples:


// Example 1: Basic usage of htmlspecialchars()
$text = "<script>alert('Hello, XSS!');</script>";
$safe_text = htmlspecialchars($text);
echo $safe_text;
// Output: &lt;script&gt;alert('Hello, XSS!');&lt;/script&gt;
// This will render the HTML tags as text on the webpage, preventing the script from executing.

// Example 2: Specifying additional options
$text = "<a href=''>Click here</a>";
$safe_text = htmlspecialchars($text, ENT_QUOTES | ENT_HTML5);
echo $safe_text;
// Output: &lt;a href=&#039;;&gt;Click here&lt;/a&gt;
// Using ENT_QUOTES flag converts both single and double quotes to HTML entities.

// Example 3: Encoding specific characters
$text = "I love & hate PHP";
$safe_text = htmlspecialchars($text, ENT_COMPAT, 'UTF-8', true);
echo $safe_text;
// Output: I love &amp; hate PHP
// The fourth parameter set to true specifies to convert only a few special characters.

These examples demonstrate different scenarios in which you might use `htmlspecialchars()` in PHP 8.1 and 8.2 to encode special characters. Remember to always use proper encoding options based on your requirements to ensure the security and integrity of your web application.