SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,338
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Confused by PDO bindValue

    I used to write the code like this:

    Code:
    if (isset($_POST['ad']))
    	$ad = $_POST['ad'];
    	$ad = htmlspecialchars($ad, ENT_QUOTES, 'UTF-8');
    But if I do this:

    Code:
    try
    {
    $sql = "INSERT INTO store" SET
    rob = :rob";
    
     $s = $pdo->prepare($sql);
     $s->bindValue(':rob', $_POST['rob']);
     $s->execute();
    }
    catch (PDOException $e)
    {
    $output = 'Error performing update: ' . $e->getMessage();
    include 'output.php';
    exit();
    ... then does that mean I re-write the top part as just:
    Code:
    if (isset($_POST['ad']))
    ... dropping the htmlspecialchars() line?

    Does bindValue mean we don't need to use htmlspecialchars() any more? I'm redoing my code with PDO and need clarification on this point. Is htmlspecialchars() just used for echoing data?

    Thanks!
    Steve Husting

  2. #2
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,058
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    You really never need to use htmlspecialchars when inserting into a database, you may need to use it when outputting content stored in the database. htmlspecialchars will prevent XSS (Cross Site Scripting) attacks, someone trying to inject malicious JavaScript or markup into your site.

    So yes, you don't need to call htmlspecialchars when inserting into your database, however, you may want to use it when outputting anything from your database. Therefore, if you want to limit your code changes, and since you have been running it through htmlspecialchars up to this point, you may as well keep that line before inserting your record (it really won't harm anything).
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  3. #3
    SitePoint Wizard bronze trophy Jeff Mott's Avatar
    Join Date
    Jul 2009
    Posts
    1,246
    Mentioned
    16 Post(s)
    Tagged
    0 Thread(s)
    htmlspecialchars is actually completely unrelated to anything SQL.

    The gist is:
    - When using user provided content in SQL, then escape characters that are special to SQL (real_escape_string, prepare/bind).
    - When using user provided content in HTML, then escape characters that are special to HTML (htmlspecialchars).

    So regardless if you escape for SQL with real_escape_string or prepare/bind, you don't need htmlspecialchars.

    EDIT: I'm too slow.
    "First make it work. Then make it better."

  4. #4
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,338
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Ooops. "ad" should be "rob"
    Steve Husting

  5. #5
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,338
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thank you all!
    Steve Husting

  6. #6
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,338
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Well, this PHP/MySQL book is telling me to use htmlspecialchars when echoing from the table:

    <p>
    <?php
    echo htmlspecialchars($joke, ENT_QUOTES, 'UTF-8');
    ?>
    </p>
    Steve Husting

  7. #7
    Hosting Team Leader silver trophybronze trophy
    cpradio's Avatar
    Join Date
    Jun 2002
    Location
    Ohio
    Posts
    5,058
    Mentioned
    152 Post(s)
    Tagged
    0 Thread(s)
    Yes, that is technically the only time you need to use htmlspecialchars.

    However, in my prior response, I simply meant to say, since you were using it before inserting your data, you can continue to do that to keep your data in your database consistent and you will remain protected from XSS.
    Be sure to congratulate Patche on earning July's Member of the Month
    Go ahead and blame me, I still won't lose any sleep over it
    My Blog | My Technical Notes

  8. #8
    SitePoint Wizard
    Join Date
    Feb 2007
    Location
    Southern California
    Posts
    1,338
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks again!
    Steve Husting


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •