I am currently overworking my website and would like to make consequent usage of correct character encoding since I had some with this trouble so far.
My HTML and PHP files are encoded with UTF8, my HTML head looks like this:
<!DOCTYPE html><html><head><meta charset="utf-8" />.....
I use MySQLi and configured my connection like this:
$DB->set_charset("utf8");
My database is using utf8_general_ci collation.
So I think I set up everything correctly.
Now my problem: To avoid cross site scripting I everytimes use htmlentities() when displaying data the user has saved into my database in order to break HTML characters like < > " '
echo(htmlentities($str, ENT_QUOTES, "UTF-8"));
But when $str contains other special characters like ÄäÖöÜü&ßàé they also get broken and my browser only displays only & Auml; and so on...
Where is my fault? What is the correct method to achieve safety against xss and display utf-8 characters? I think I could need a complete crash course within these topics. This solution does not match my problem because I already use this parameter.
I would be very thankful if you could help me with this issue. Best regards Lukas
