Title kinda says it all. Should I be using nl2br(htmlspecialchars($text)) for everything I echo/print

Question

0

Asked: June 4, 20262026-06-04T22:11:26+00:00 2026-06-04T22:11:26+00:00

Title kinda says it all. Should I be using nl2br(htmlspecialchars($text)) for everything I echo/print

0

Title kinda says it all. Should I be using nl2br(htmlspecialchars($text)) for everything I echo/print to screen?

I’ve been looking around, and it seems like the word is that when handling input from the user, sanitize it by escaping it and inserting it into the database. Then when retrieving from the database, if I intend to spit it out to the screen, I should use htmlspecialchars() to convert unfriendly characters to their safe equivalents, and use nl2br() around that if I want to convert newlines to breaks?

Should I just create a new function called safeEcho() that does echo nl2br(htmlspecialchars($text)) and use that everywhere I might have to output something that could have come from the user, instead of the usual echo/print statements then?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-04T22:11:28+00:00

Editorial Team

2026-06-04T22:11:28+00:00Added an answer on June 4, 2026 at 10:11 pm

no,
to save safely in your database you only need this: (to escape single/double quotes & other)

mysql_real_escape_string($thedata);

when reading from database, dont do anything; many conversions dont do any good.

the nl2br just takes the “\n” and produces a <br \>; surely non needed for printing..

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Title kinda says it all. Should I be using nl2br(htmlspecialchars($text)) for everything I echo/print

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply