The htmlspecialchars() function is PHP’s primary tool for output escaping. It converts &, <, >, and quotes into HTML entities so user input displays as text instead of running as code.
01
Escape Output
&, <, >, quotes.
02
Prevent XSS
Block script tags.
03
ENT_QUOTES
Encode ' and ".
04
UTF-8
Always specify it.
05
vs htmlentities
Subset vs full.
06
On Output
Escape when echoing.
Fundamentals
Definition and Usage
In PHP, htmlspecialchars() prepares dynamic text for safe inclusion in HTML documents. Characters with special meaning in HTML are replaced with entities so browsers render them literally. This is essential whenever you echo user input, database values, or any untrusted string into a web page.
🛡
Security Rule
Escape at output, not only at input. The standard pattern is htmlspecialchars($value, ENT_QUOTES, 'UTF-8') right before echoing into HTML. Pair with prepared statements for SQL—never use htmlspecialchars for database queries.
Foundation
📝 Syntax
The function accepts a string, flags, encoding, and double-encode option:
The htmlspecialchars() function is the foundation of safe HTML output in PHP. Use htmlspecialchars($text, ENT_QUOTES, 'UTF-8') whenever you echo dynamic data into a web page.
It prevents XSS by encoding dangerous characters, pairs with htmlspecialchars_decode() for reversal, and covers most escaping needs without the overhead of full htmlentities() encoding.
Use htmlspecialchars($s, ENT_QUOTES, 'UTF-8') on every HTML output
Escape at output time, not only at input
Use prepared statements for SQL (separate concern)
Set double_encode to false for partially encoded input
Combine with Content Security Policy for defense in depth
❌ Don’t
Echo raw user input without escaping
Use htmlspecialchars for SQL injection prevention
Assume escaping input once at save time is enough forever
Skip escaping because input “looks safe”
Double-escape by calling htmlspecialchars twice on the same string
Summary
Key Takeaways
Knowledge Unlocked
Five things to remember about htmlspecialchars()
Use these points whenever you output dynamic text in PHP.
5
Core concepts
🛡01
Output Escape
&, <, >, quotes.
Purpose
🛠02
ENT_QUOTES + UTF-8
Standard pattern.
Syntax
⚠03
Prevent XSS
Block script tags.
Security
📈04
vs htmlentities
Subset is enough.
Compare
🔄05
Decode Pair
htmlspecialchars_decode().
Related
❓ Frequently Asked Questions
htmlspecialchars() converts special HTML characters to entities so they display as plain text instead of being interpreted as markup. It encodes &, <, >, and quotes (depending on flags)—the standard defense against XSS when echoing data into HTML.
string htmlspecialchars(string $string, int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401, ?string $encoding = null, bool $double_encode = true). The recommended pattern for web apps is htmlspecialchars($text, ENT_QUOTES, 'UTF-8').
ENT_QUOTES encodes both single and double quotes, preventing attribute-breakout attacks. UTF-8 ensures multibyte characters are handled correctly. Always pass both explicitly instead of relying on PHP defaults.
Call it at output time—whenever you echo user-controlled or dynamic data into HTML (body text, attributes, or JavaScript string contexts may need additional escaping). Do not use it as a substitute for prepared statements for SQL.
Use htmlspecialchars_decode() with matching ENT flags: htmlspecialchars_decode($encoded, ENT_QUOTES). Only decode when you need plain text for processing; re-escape before displaying in HTML again.