Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
To avoid SQL injection and XSS we use the function htmlspecialchars() or others like escapeString.
If we have to use this function every time that we construct a SQL query and get the results, why then the function
$results->fecthArray();
doesn’t apply the function htmlspecialchars directly?
Injection attacks happen when there is a change in the programming/instruction language. Example, from PHP to SQL, you need
mysqli_real_escape_stringto escape the query string before processing by the SQL server.To answer your question,
$resultsstill remains as a PHP variable and you only need to do the escaping just prior to outputting on the HTML form. Most people don’t do that straight away and some may not even output to HTML, so the function does not need to applyhtmlspecialcharsautomatically.