The real problem comes when you nee

Το πραγματικό πρόβλημα προέρχεται όταν χρειαστεί να επιτρέψετε δυνητικά κακόβουλους χρήστες να εισάγετε HTML εισροών. Αυτό είναι όπου θα πρέπει να απομακρύνουν με μη αυτόματο τρόπο κάθε ενδεχομένως κακόβουλο πράγματα (όπως tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.

That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.

As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?

For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the 's would have escaped by htmlentities.

When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.

Το πραγματικό πρόβλημα έρχεται όταν θα πρέπει να επιτρέψει ενδεχομένως σε κακόβουλους χρήστες να εισέλθουν εισόδου HTML. Αυτό είναι όπου θα πρέπει να αφαιρέσει το χέρι οποιαδήποτε πιθανώς κακόβουλα πράγματα (όπως tags, etc) before displaying it. The problem with this approach is that this can get very complex to do reliably; most browsers allow for such a high degree of malformed input that it has proven to be virtually impossible for you to take all of it into account, and there have been countless examples of savvy people bypassing the input stripping by making it malformed, but in such a way that the browsers can still understand it.

That is why, to avoid this entire hassle but to still allow for some basic HTML capabilities for the grand public, alternatives like BBCode and UBB are frequently used. Major advantage here is that you control explicitly which tags can be used and which can't, and that tags that are not allowed simply won't be parsed. Since this approach replaces the usual HTML tags (which are parsed client-side) with equivalent BBCode tags (which are parsed server-side), you'll still want to apply htmlentities though - otherwise users could still use regular HTML tags. Writing a BBCode or UBB parser can be more complicated than it looks at first sight, so I'd advise you to use some of the excellent existing libraries out there rather than write your own.

As for htmlentities vs htmlspecialchars, the difference is that htmlentities escapes more characters than htmlspecialchars. For the purposes of escaping user input htmlspecialchars would work fine too, but why not escape more?

For your
problem, here's what you do: the user enters his input in a standard . This textarea contains his input with the lines separated by a newline character (
). You simply take the input from the textarea, and insert it into the DB as-is. Then, when displaying it again, you apply htmlentities to it, and then run it through nl2br - this will convert the newlines to
tags. Otherwise the newlines would only show up in the HTML source, and not on the rendered page. Note that you first apply htmlentities and then nl2br; if you had done it the other way around, the 's would have escaped by htmlentities.

When you want to enable the user to edit his input again, you apply htmlentities and echo it back between and . Here, you don't have to apply nl2br - the textarea control picks up on the newlines in the source code. Also, the entities escaped by htmlentities will be un-escaped again by your browser before sending the form data; this way you'll keep their original input instead of saving the escaped entities in the DB.