The use of htmlspecialchars() or htmlentities() in prepared statements

2018-06-20 15:40:42

I am using prepared statements to store, retrieve and update data to or from the database. Do I need to use htmlspecialchars() or htmlentities() if I am using prepared statements?

From what I understand, you dont need to use htmlspecialchars() when inserting data and it only concerns html that is outputted...

I have a situation where I am using a prepared statement to store user input from a register form like so:

$stmt = $conn2->prepare("INSERT INTO users (username, email, password) VALUES (?, ?, ?)");
$stmt->bind_param('sss', $username, $email, $password);
$stmt->execute();

I have another script that is retrieving the username and password when logging in and displaying their username on screen like so:

$stmt = $conn2->prepare("SELECT username FROM users WHERE username = ? AND password = ?");
$stmt->bind_param("ss", $username, $password);
$stmt->execute();
$stmt->store_result();

if ($stmt->num_rows == 1) {

$stmt->bind_result($name);
$stmt->fetch();

I have also put the username in a SESSION and echoed the session like so:

echo $_SESSION['user']['username']

From this example, do I need to use htmlspecialchars() or htmlentities() when displaying the username? Is this what is meant by outputting the HTML?

If so, where would I implement htmlspecialchars() or htmlentities()??

Databases don't care about HTML.

Use one of them if you are inserting the data into an HTML document, and do so immediately before inserting into an HTML document (not immediately before inserting into a database, you might need the raw data again for some other purpose).

链接地址: http://www.djcxy.com/p/58064.html

上一篇: PHP中的收益率意味着什么？