On 16-07-21 09:50 PM, Aziz Saleh wrote:
Prepared statements have nothing to do with htmlentities (probably since its an old code it was doing it wrong, should have been using mysql_real_escape_string). Prepared statements make it (mostly) safe to store in database (stopping sql hacks). htmlentities is for outputting html to the user (stopping html/css/js injections to the page). If you are outputting the content to the user (and data is provided by users) you should make sure it is correctly escaped before displaying. Similar question on SE: http://stackoverflow.com/questions/1219159/do-i-need-htmlentities-or-htmlspecialchars-in-prepared-statements
That you! -- Stephen -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
