|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67734 Add output escaping specifiers to sprintf etc.
Submitted: 2014-08-01 08:16 UTC Modified: 2020-11-13 10:42 UTC
From: marcus at synchromedia dot co dot uk Assigned:
Status: Suspended Package: Strings related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: marcus at synchromedia dot co dot uk
New email:
PHP Version: OS:


 [2014-08-01 08:16 UTC] marcus at synchromedia dot co dot uk
sprintf, vsprintf etc have numerous different specifiers for numbers, but only a single generic 'string' option for strings with %s. It would be useful to have additional options for escaping values, for example with URL encoding or HTML escaping. You might say that you can achieve this by applying escaping functions to the variables you pass in, which is correct, but in the interests of DRY, it's much tidier if the printing function can do this itself - and after all there is a clear precedent in the form of all the numeric options for which you could say the same.

It might be interesting to provide SQL escaping specifiers, since PDO doesn't provide a complete implementation for this, thoughit may be difficult to pass in a connection reference in a clean way.

Test script:
The current implementation looks like this:

echo sprintf('<a href="%s?linkname=%s">%s</a>', 'myscript.php', rawurlencode('> my link'), htmlentities('> my link', ENT_QUOTES));

Assuming the %h specifier applies URL-encoding, and the %H specifier applies HTML escaping:

echo sprintf('<a href="%1$s?linkname=%2$h">%2$H</a>', 'myscript.php', '> my link');


<a href="myscript.php?linkname=%3E%20my%20link">&gt; my link</a>


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-11-13 10:42 UTC]
-Status: Open +Status: Suspended
 [2020-11-13 10:42 UTC]
In my opinion, this is best left to userland (libraries), because
there may just be too many (slightly) different
requirements/demands.  If you feel strongly that this should be
part of PHP core, please forward your request to the internals
mailing list for discussion.  For the time being, I'm suspending
this ticket.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Oct 23 19:03:33 2021 UTC