Asked  7 Months ago    Answers:  5   Viewed   90 times

I'm generating an XML document from a PHP script and I need to escape the XML special characters. I know the list of characters that should be escaped; but what is the correct way to do it?

Should the characters be escaped just with backslash (') or what is the proper way? Is there any built-in PHP function that can handle this for me?



Use the DOM classes to generate your whole XML document. It will handle encodings and decodings that we don't even want to care about.

Edit: This was criticized by @Tchalvak:

The DOM object creates a full XML document, it doesn't easily lend itself to just encoding a string on it's own.

Which is wrong, DOMDocument can properly output just a fragment not the whole document:


which gives:

Test &amp; <b> and encode </b> :)
Test &amp;amp; &lt;b&gt; and encode &lt;/b&gt; :)

as in:

$doc = new DOMDocument();
$fragment = $doc->createDocumentFragment();

// adding XML verbatim:
$xml = "Test &amp; <b> and encode </b> :)n";

// adding text:
$text = $xml;

// output the result
echo $doc->saveXML($fragment);

See Demo

Wednesday, March 31, 2021
answered 7 Months ago

If you need about 10 million unique keys (for example), the best approach is to pick a key-space that's exponentially bigger, and start randomly generating. Read about the Birthday Paradox -- it's the main thing you should be worried about. If you want 2^n unique and secure keys, make sure there are at least 2^(2 * n) possible values. Here's a rough O(n log n) algorithm:

  • Use a key space of at least 2^50 (so, in other words, allow 2^50 possible unique values), and you'll have barely any collisions in your entire dataset -- and anyone brute forcing your keys will have about even odds of getting a key if they try 2^25 of them.
  • generate as many random numbers as you need
  • index the database on your key (this is the O(n lg n) step: the sort)
  • page through the DB and iterate over the entire data set to trim duplicates (pseudocode below)
  • Delete the duplicate rows, and you're done.


$last = null;
while ($current = getnext()) {
    if ($last == $current) {
        push($toDelete, $current);
    $last = $current;
Wednesday, March 31, 2021
answered 7 Months ago

What you tried looks very strange, but at least you tried something ;-) ... You somehow mixed a POST and GET request, there is no header defined and where is the xml format?

Probably it helps to read this first: What is a XML-RPC Request

Then concerning App Inventor you can try to use the following blocks.
EDIT: update of the screenshot to make things clearer.

enter image description here

Wednesday, March 31, 2021
answered 7 Months ago

I dont want xml writer to encode the multilingual characters , how this is possible ?

Actually as you write XML you already encode. What you mean is that you don't want to use numeric entities for these two characters which is possible but not always.

To not use numeric entities, you need to match the encoding of the document with the encoding of your string. From the output you provided I can only guess a bit, those two characters probably stand for:

  1. Unicode Han Character 'the Chinese people, Chinese language' (U+6F22)
  2. Unicode Han Character 'letter, character, word' (U+5B57)

Which could mean (I do not speak any Chinese so far) something like Chinese Word.

XMLWriter in PHP will always put characters into a numeric entity (like &#x6F22; and &#x5B57; in your example) whenever the encoding of the document is not able to represent that character within the document.

If you are able to match both encodings XMLWriter will automatically not use the numeric entities.

I give a more simple example. Let's take the US-ASCII encoding and the German umlaut Ä from Äpfel (Unicode Character 'LATIN CAPITAL LETTER A WITH DIAERESIS' (U+00C4)) as an attribute value:

$xmlWriter = new XMLWriter();
$xmlWriter->startDocument('1.0', 'US-ASCII');
$xmlWriter->writeAttribute('value', 'Äpfel');
echo $xmlWriter->flush();

This code written down in an UTF-8 encoded PHP file will output when executed:

<?xml version="1.0" encoding="US-ASCII"?>
<root value="&#196;pfel"/>

&#196; is the numeric entity for the unicode character U+00C4 and if you look closely, C4 is the hexadecimal representation of decimal 196 which also shows that the numeric XML entity always represents the Unicode character number.

So the XML output uses the US-ASCII encoding which is not able to represent the Ä from the UTF-8 encoded string in the PHP code and therefore properly encodes it with it's numeric entity to preserve the character information.

Now changing the encoding from:

$xmlWriter->startDocument('1.0', 'US-ASCII');

to the UTF-8 encoding of the PHP string:

$xmlWriter->startDocument('1.0', 'UTF-8');

does change this output:

<?xml version="1.0" encoding="UTF-8"?>
<root value="Äpfel"/>

This would equally work with your example however, one important information in your question is missing: In which encoding is the string from that record?

If it is UTF-8 already, then like I outlined in the example above, it would work already:

$recordUTf8 = "... contents="Just <span style="color:red">testing</span>:"
$encoding   = 'UTF-8';
$encoding   = 'US-ASCII';

$xmlWriter = new XMLWriter();
$xmlWriter->startDocument('1.0', $encoding);
$xmlWriter->writeAttribute('value', $recordUTf8);
echo $xmlWriter->flush();


<?xml version="1.0" encoding="UTF-8"?>
<record value="... contents=&quot;Just &lt;span style=&quot;color:red&quot;&gt;
               testing &lt;/span&gt;:?? &quot;"/>

As this output show, no numeric entities are used here, however, the string is clearly UTF-8 encoded (in a binary safe manner here in case you use a different encoding for the PHP file if you copy it over).

So just to summarize at this point: The XML encoding need to match the encoding of the string to represent all characters not in numeric entities (apart from the ones used to encode XML itself like <, >, ', " and &).

These are pretty much XML basics. If the document has an encoding the character data can not be represented in but as XML supports Unicode, the fallback are numeric entities. You are trying to prevent this fallback by aligning the document encoding with the string encoding.

Here is my advice for PHP & XMLWriter specifically:

  1. Obtain or re-encode the record from the database to UTF-8.
  2. Only pass UTF-8 strings into XMLWriter methods.
  3. Set the XML documents encoding to UTF-8.

I give these suggestions because UTF-8 is the default encoding of XML and UTF-8 support is quite well in PHP. Also XMLWriter expects Unicode strings to be UTF-8 encoded, there is no setting or option that allows you to change that, so the input already needs to be UTF-8 encoded.

However independent to the input string, you can naturally tell XMLWriter to use a different output encoding. For example any other Chinese or Unicode Encoding might be suitable for you and it is possible for XMLWriter output as long as your PHP configuration supports that specific output encoding (check the iconv library you have).

When you start the document with XMLWriter, the second parameter specifies the encoding:

$xmlWriter->startDocument('1.0', $encoding);

You can put in any encoding from the set of the encodings XML supports in the corresponding XML-Declaration:

<?xml version="1.0" encoding="ISO-8859-1"?><!-- Latin-1 example -->

The full specs of the XML encoding value can be found here: ::

In an encoding declaration, the values " UTF-8 ", " UTF-16 ", " ISO-10646-UCS-2 ", and " ISO-10646-UCS-4 " should be used for the various encodings and transformations of Unicode / ISO/IEC 10646, the values " ISO-8859-1 ", " ISO-8859-2 ", ... " ISO-8859- n " (where n is the part number) should be used for the parts of ISO 8859, and the values " ISO-2022-JP ", " Shift_JIS ", and " EUC-JP " should be used for the various encoded forms of JIS X-0208-1997. It is recommended that character encodings registered (as charsets) with the Internet Assigned Numbers Authority [IANA-CHARSETS], other than those just listed, be referred to using their registered names; other encodings should use names starting with an "x-" prefix. XML processors should match character encoding names in a case-insensitive way and should either interpret an IANA-registered name as the encoding registered at IANA for that name or treat it as unknown (processors are, of course, not required to support all IANA-registered encodings).

Where-as [IANA-CHARSETS] is:

(Internet Assigned Numbers Authority) Official Names for Character Sets, ed. Keld Simonsen et al. (See

These specs are perhaps a little bit verbose. In the context of your question, all you need to do is to find out the encoding of your record-string. I btw. can't say I was not able to reproduce your exact output, I always get decimal entities, not hexa-decimal ones. You might be able to provide more information with a hex-dump of the string.

Wednesday, March 31, 2021
answered 7 Months ago

you can use following to get unique id with 32 chars

md5(uniqid(time(), true))

or you can use sha1 like with 40 chars

sha1(uniqid(time(), true))
Saturday, May 29, 2021
answered 5 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :