I do know that htmlspecialchars should only be used to output to screen.But I'm having some trouble to understand it behavior of escaping malicious data.
When I print PHP variable that contains htmlspecialchars used data is escape properly.But when I use that variable inside another variable,and print the second variable,it doesn't escape special characters.
Please look at the code for better understanding
does escape
$page_owner.="<div id='pg_owner_$userx' class='now'><div id='user_img_holder' ><img src='account/".htmlspecialchars($userx)."/".htmlspecialchars($image)."' id='user_img' ><div id=''><b>".htmlspecialchars($busi_title)."</b></div></div></div>";
echo $page_owner;
doesn't escape
$all.="<div class='hold_indi_samesrc'>".$page_owner.".<div style='float:left;'>".$alu."</div></div>";
echo $all;
when I echo $all,it doesn't escape special character that is in $page_owner.
Why is it happening?Is there any way to work around with this issue?
Edit
second code block contain $page_owner which is in first code block.
When I echo $page_owner(for testing purpose),I get $userx,$busi_title 's specialchars escaped.But as I need to have $alu and $page_owner inside $all.When I echo $all,I cannot get $userx,$image,$busi_title 's special characters escaped.Is it even possible.How can I do that?
Please help,if you can.
