htmlentities() vs. htmlspecialchars()

Question

What are the differences between htmlspecialchars() and htmlentities(). When should I use one or the other?

Answer 1

You should use htmlspecialchars($strText, ENT_QUOTES) when you just want your string to be XML and HTML safe:

For example, encode

• & to &
• " to "
• < to <
• > to >
• ' to '

However, if you also have additional characters that are Unicode or uncommon symbols in your text then you should use htmlentities() to ensure they show up properly in your HTML page.

Notes:

• ' will only be encoded by htmlspecialchars() to ' if the ENT_QUOTES option is passed in. ' is safer to use then ' since older versions of Internet Explorer do not support the ' entity.
• Technically, > does not need to be encoded as per the XML specification, but it is usually encoded too for consistency with the requirement of < being encoded.