user892134
Reputation: 3224
Using htmlspecialchars when not outputting to html
For example if i use $id= $_GET['id']; and then i use that $id as a condition for an if statement, do i have to use htmlspecialchars on $id?
e.g.
$id = htmlspecialchars($_GET['id']);
if($id) {
//code
}
Is htmlspecialchars needed, even though no html is being output?
Upvotes: 0
Views: 75
Answers (1)
deceze
Reputation: 522042
No. You only need to HTML-escape data if you are outputting it into an HTML context, and the data may contain characters which have a special meaning in HTML (e.g. <, >, ") and you do not want those characters to break your HTML structure.
Also see The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
Upvotes: 3
Related Questions
- use of htmlspecialchars()
- How Do I use htmlspecialchars but allow only specific HTML code to pass through without getting converted?
- htmlspecialchars not working as expected
- htmlspecialchars doesn't work on string
- Using htmlspecialchars() in php/html the correct and professional way
- htmlspecialchars outputting blank
- htmlspecialchars - there must be a better way
- alternative to htmlspecialchars
- php htmlspecialchars
- Do you only run htmlspecialchars() on output or is there other functionality you also do?