I do know that htmlspecialchars
should only be used to output to screen.But I'm having some trouble to understand it behavior of escaping malicious data.
When I print PHP variable that contains htmlspecialchars used data
is escape properly.But when I use that variable inside another variable
,and print the second variable,it doesn't escape special characters.
Please look at the code for better understanding
does escape
$page_owner.="<div id='pg_owner_$userx' class='now'><div id='user_img_holder' ><img src='account/".htmlspecialchars($userx)."/".htmlspecialchars($image)."' id='user_img' ><div id=''><b>".htmlspecialchars($busi_title)."</b></div></div></div>";
echo $page_owner;
doesn't escape
$all.="<div class='hold_indi_samesrc'>".$page_owner.".<div style='float:left;'>".$alu."</div></div>";
echo $all;
when I echo $all
,it doesn't escape special character
that is in $page_owner
.
Why is it happening?Is there any way to work around with this issue?
Edit
second code block
contain $page_owner
which is in first code block
.
When I echo $page_owner
(for testing purpose),I get $userx
,$busi_title
's specialchars escaped.But as I need to have $alu
and $page_owner
inside $all
.When I echo $all
,I cannot get $userx
,$image
,$busi_title
's special characters escaped.Is it even possible.How can I do that?
Please help,if you can.