Reputation: 8976
Do I need to `htmlspecialchars()` when I read PHP Session?
Do I need to use htmlspecialchars() before I send PHP Session into MySQL query?
Can some evil hacker create sessions on his machine with a dangerous SQL injection in it??
Upvotes: 0
Views: 737
Answers (1)
Reputation: 944216
No.
You use htmlspecialchars() before you put text into HTML. (Trusted HTML you put straight into HTML. Untrusted HTML you run through a whitelist). That is a defence against XSS.
It is SQL injection that you have to worry about when putting data into an SQL query. Since session data contains only what you put into it in the first place, if you take any measures to defend against SQL injection, then they will depend on what data you put into the session.
As a rule of thumb, any variable being put into a query should be inserted using bound variables and not string concatenation.
Upvotes: 4
Related Questions
- When to use htmlspecialchars() function?
- use of htmlspecialchars()
- Htmlspecialchars not needed in this case?
- Is htmlspecialchars() safe enough?
- Using htmlspecialchars() in php/html the correct and professional way
- htmlspecialchars() and htmlspecialchars_decode()
- Is it good to use htmlspecialchars() before Inserting into MySQL?
- Is using htmlspecialchars() sufficient in all situations?
- Do we have to use mysql_real_escape_string() while working with sessions?
- htmlspecialchars wrong use?