FAQ: Introduction to PHP Form Validation - Basic Data Sanitizing

This community-built FAQ covers the “Basic Data Sanitizing” exercise from the lesson “Introduction to PHP Form Validation”.

Paths and Courses
This exercise can be found in the following Codecademy content:

Learn PHP

FAQs on the exercise Basic Data Sanitizing

There are currently no frequently asked questions associated with this exercise – that’s where you come in! You can contribute to this section by offering your own questions, answers, or clarifications on this exercise. Ask or answer a question by clicking reply (reply) below.

If you’ve had an “aha” moment about the concepts, formatting, syntax, or anything else with this exercise, consider sharing those insights! Teaching others and answering their questions is one of the best ways to learn and stay sharp.

Join the Discussion. Help a fellow learner on their journey.

Ask or answer a question about this exercise by clicking reply (reply) below!
You can also find further discussion and get answers to your questions over in #get-help.

Agree with a comment or answer? Like (like) to up-vote the contribution!

Need broader help or resources? Head to #get-help and #community:tips-and-resources. If you are wanting feedback or inspiration for a project, check out #project.

Looking for motivation to keep learning? Join our wider discussions in #community

Learn more about how to use this guide.

Found a bug? Report it online, or post in #community:Codecademy-Bug-Reporting

Have a question about your account or billing? Reach out to our customer support team!

None of the above? Find out where to ask other questions here!

I am not sure if this lesson is working properly or I missed something. This is the code I used which gave me the check mark for question one but the output did not change the html to the reserved characters.


This is the correct code.

htmlspecialchars prevents code injection.

For example, try submitting <script>alert('hi');</script> with and without htmlspecialchars.

You’ll notice that htmlspecialchars escapes the HTML code (not recognized as such, just plain text).

You should always use this built-in function whenever you’re outputting potentially harmful data.

I guess I am still a bit confused. Shouldn’t the htmlspecialchars() change the output to the reserved characters? If I were to submit your code, it should change the output to &lt;script&gt;('hi');&lt;/script&gt; , correct? It just leaves to the code as is <script>alert('hi');</script>.

1 Like

Here’s the trick, though. It does do that, but in the source code:

The output that users see, however, is cleaner. And the result is the same! :slight_smile:


Okay I get it! Thanks you so much for your help!

1 Like