Reply To: Append to URL & appear in post

[__]

So does using this variable $name and htmlspecialchars somehow make it more secure?

I used the variable $name in order to break the code example into parts, to make it easier to read and understand what was happening. You don’t have to do so if you do not wish to.

htmlspecialchars converts special characters into their entity equivalents. Specifically:

• < becomes <
• > becomes >
• " becomes "
• ' becomes '
• & becomes &

This ensures that they are displayed as text, and not interpreted as HTML markup. For example, say someone shared a link to your page with everyone on facebook—but, instead of using their name (as you intended), they put some javascript in the URL:

http://example.com/?value=<script>alert("I stole your FaceBook login cookies");</script>

If you just printed it, your HTML would look like this:

You are here <script>alert("I stole your FaceBook login cookies");</script>

Visitors would see the text “You are here”, the attacker’s script would run, and then they would lose their cookies. However, if you pass it through htmlspecialchars, it would look like this:

You are here <script>alert("I stole your FaceBook login cookies");</script>

Visitors would see the script tags as text, and be confused or perhaps alarmed, but the script wouldn’t run.