Home/ Questions/Q 8165993
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T19:42:27+00:00

Do i use htmlspecialchars on $_GET[‘search’] on page2? Wouldn’t i have to remove the

  • 0

Do i use htmlspecialchars on $_GET['search'] on page2? Wouldn’t i have to remove the htmlspecialchars from $_GET['search'] on page3 before i add mysql_real_escape_string to the variable? If so.. how do i remove htmlspecialchars?

page1

 $searchterm = "test"; //users search term
echo "<a href='page2?seach=test'>test</test>";

page2

$var = htmlspecialchars($_GET['search']);
<form action='page3' method='post'><input type='text' name='test' value='$var' /><input type='submit' value='submit'/></form>

page3

$search = mysql_real_escape_string($_POST['test']);
//insert into mysql database
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Do i use htmlspecialchars on $_GET['search'] on page2?

    You use htmlspecialchars when you have some text and are about to output it as HTML.

    That is what you are doing in your second example, so yes, you would.

    Wouldn’t i have to remove the htmlspecialchars from $_GET['search'] on page3

    No. The HTML is parsed by the browser to produce a text value.

    (This also means that browsers do not submit HTML-safe data, so when you take the data out of the database then you would use htmlspecialchars before outputting it to an HTML document).

    before i add mysql_real_escape_string to the variable

    Don’t use mysql_real_escape_string, use prepared statements and parameterized queries.

    • 0