Home/ Questions/Q 6649899
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T00:49:44+00:00

Hi i’m planning to make users able to submit some pieces of code (php,java,javascript

  • 0

Hi i’m planning to make users able to submit some pieces of code (php,java,javascript c++, etc… whatever they want i mean).

so does anyone can suggest me the best practice to make it safety for my site? :))

i mean which tags/chars/strings to escape in php once is submitted code string?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use placeholders in your queries and you don’t even have to escape the input.
    Placeholders, binding, and prepared statements are definitely the preferred method.

    It’s faster for anything over 1 query as you can reuse the handles and just change the input.

    It’s safer. The string is not interpreted with the query… ever. What you store is what you get.

    I’d need to know a bit more about your target sql to give pertinent examples, but here’s some links:

    PDO style binding: http://docs.php.net/pdo.prepared-statements

    MySqli style binding: http://docs.php.net/manual/en/mysqli-stmt.bind-param.php

    When you read it back, display with 

    htmlspecialchars($string, ENT_QUOTES);

    ENT_QUOTES option ensures that both single and double quotes get escaped.

    • 0