Re: htmlentities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Prepared statements have nothing to do with htmlentities (probably since
its an old code it was doing it wrong, should have been using
mysql_real_escape_string).

Prepared statements make it (mostly) safe to store in database (stopping
sql hacks).
htmlentities is for outputting html to the user (stopping html/css/js
injections to the page).

If you are outputting the content to the user (and data is provided by
users) you should make sure it is correctly escaped before displaying.

Similar question on SE:
http://stackoverflow.com/questions/1219159/do-i-need-htmlentities-or-htmlspecialchars-in-prepared-statements

On Thu, Jul 21, 2016 at 9:00 PM, Stephen <stephen-d@xxxxxxxxxx> wrote:

> I am going over old code as I create a new web site.
>
> My libraries have always called the subject on user input before inserting
> to a database.
>
> I started this before moving to PDO and prepared statements.
>
> So my question is, do I still need htmlentities, or is it redundant.
>
> --
> Stephen
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux