Prepared statements have nothing to do with htmlentities (probably since its an old code it was doing it wrong, should have been using mysql_real_escape_string). Prepared statements make it (mostly) safe to store in database (stopping sql hacks). htmlentities is for outputting html to the user (stopping html/css/js injections to the page). If you are outputting the content to the user (and data is provided by users) you should make sure it is correctly escaped before displaying. Similar question on SE: http://stackoverflow.com/questions/1219159/do-i-need-htmlentities-or-htmlspecialchars-in-prepared-statements On Thu, Jul 21, 2016 at 9:00 PM, Stephen <stephen-d@xxxxxxxxxx> wrote: > I am going over old code as I create a new web site. > > My libraries have always called the subject on user input before inserting > to a database. > > I started this before moving to PDO and prepared statements. > > So my question is, do I still need htmlentities, or is it redundant. > > -- > Stephen > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
