I have a little script which allows the user to save a text in the database. For this I used prepared Statements to prevent any SQL injections. -> The part where the user saves sth. in the DB is safe.
Now I want to output the text of the user, I do this like that:
echo'Text: '.trim (htmlspecialchars ($text)).'';
Is this method safe? Are there better solutions? Should I rather prevent inserting all this special chars into the DB?
答案 0 :(得分:1)
Htmlspecialchars will convert all special html symbols in entities like <
So, it prevent xss security exception.
So, we can say, that using htmlspecialchars() is safe-way to display text, which can contains html code.
答案 1 :(得分:0)
htmlspecialchars用于防止某些类型的xss攻击,而不是所有