Viktor Kostrov
Reputation: 3
Having issue with htmlspecialchars, where is the correct place to put it?
$stmt = $conn->prepare("INSERT INTO chatbox (username, message)
VALUES (:username, :message)");
$stmt->bindParam(':username', $username);
$stmt->bindParam(':message', $message);
$username = $_POST['username'];
$message = $_POST['message'];
$stmt->execute();
?>
Where would I put htmlspecialchars() in this situation, please help me?
Upvotes: 0
Views: 41
Answers (1)
lumio
Reputation: 7575
Nowhere here. Always try to put the "raw" (see below what I mean by "raw") data into your database. Only use htmlspecialchars when you want to show the data from your database.
"raw" as in sanitized and safe for the database, but not touched in a way that it is a certain format (e.g. HTML)
//edit:
So in order to use htmlspecialchars correctly, let's say you echo that message after receiving it from the database like that:
echo htmlspecialchars($message);
Upvotes: 3
Related Questions
- use of htmlspecialchars()
- Issue with Htmlspecialchars
- PDO and the use of filtering tools like htmlspecialchars
- htmlspecialchars not working as expected
- Using htmlspecialchars function with PDO prepare and execute
- Using htmlspecialchars() in php/html the correct and professional way
- where to put htmlspecialchars()
- htmlspecialchars wrong use?
- php htmlspecialchars
- PHP htmlspecialchars error