Using htmlspecialchars function with PDO prepare and execute

by

Your confusion is quite common because information and examples in books and on the internet including php.net are misleading or ambiguous. The most important thing you can learn when developing web apps is filter input, escape output.

Filter Input
This means that for any data input whether provided by a user on a form or provided by a file from some other source, filter out anything which does not belong. An example would be that if you expect a numeric value, filter out any non-numeric characters. Another example would be limit/ensure the maximum length of data. However, you don’t need to get to crazy with this. For example, if you expect a line of text that can contain literally any combination of characters, then trying to come up with a filter will probably only frustrate your users.

So, you generally would store input data in your database as provided with optionally some filtering before hand.

Escape Output
What is meant by escape output is to properly make safe the data for a given media. Most of the time, this media is a web page (html). But, it can also be plain text, xml, pdf, image, etc. For html, this means using htmlspecialchars() or htmlentities() (you can read up on the differences here). For other media types, you would escape/convert as appropriate (or not at all if appropriate).

Now, your question is whether or not you should use htmlspecialchars() on input data that will be used as sql query parameters. The answer is no. You should not modify the data in any way.

Yes, the data contained in $_POST should be considered dangerous. Which is why you should 1) guard against sql injection using prepared statements and bound parameters as you are doing and 2) properly escape/convert data found in $_POST if you place it in html.

There are many frameworks for PHP which handle these details for you and I recommend you pick and use one. However, if you do not, you can still build a safe and secure application. Whether you use a framework or not, I strongly suggest that you read the recommendations suggested by OWASP. Failure to do so will only result in a security nightmare for your web application.

More Related Contents:

  1. Insert form in MySQL with PDO [duplicate]
  2. Undefined index $_POST
  3. Are PDO prepared statements sufficient to prevent SQL injection?
  4. Reference — frequently asked questions about PDO
  5. Getting raw SQL query string from PDO prepared statements
  6. How do I set ORDER BY params using prepared PDO statement?
  7. “Invalid parameter number: parameter was not defined” Inserting data
  8. Having issue with matching rows in the database using PDO
  9. How can I properly use a PDO object for a parameterized SELECT query
  10. How do I return integer and numeric columns from MySQL as integers and numerics in PHP?
  11. pdo – Call to a member function prepare() on a non-object [duplicate]
  12. How to replace MySQL functions with PDO?
  13. PDO::fetchAll vs. PDO::fetch in a loop
  14. Are there good tutorials on how to use PDO? [closed]
  15. Connect to SQL Server through PDO using SQL Server Driver
  16. PHP Connection failed: SQLSTATE[HY000] [2002] Connection refused
  17. PDO error: ” SQLSTATE[HY000]: General error ” When updating database
  18. PDO PHP Fetch Class
  19. SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax — PHP — PDO [duplicate]
  20. PDO Connection Test
  21. PHP PDO::bindParam() data types.. how does it work?
  22. PHP PDO and MySQLi [duplicate]
  23. PDO fetch one column from table into 1-dimensional array
  24. Using value of a column as index in results using PDO
  25. Is “SET CHARACTER SET utf8” necessary?
  26. Getting a PHP PDO connection from a mysql_connect()?
  27. Having issue with matching rows in the database
  28. PDO: MySQL server has gone away
  29. PHP/SQL Insert Error when using Named Placeholders
  30. Is a BLOB converted using the current/default charset in MySQL?

Leave a Comment