Confused by PDO bindValue

StevenHu · May 13, 2013, 4:15pm

I used to write the code like this:

if (isset($_POST['ad']))
	$ad = $_POST['ad'];
	$ad = htmlspecialchars($ad, ENT_QUOTES, 'UTF-8');

But if I do this:

try
{
$sql = "INSERT INTO store" SET
rob = :rob";

 $s = $pdo->prepare($sql);
 $s->bindValue(':rob', $_POST['rob']);
 $s->execute();
}
catch (PDOException $e)
{
$output = 'Error performing update: ' . $e->getMessage();
include 'output.php';
exit();

… then does that mean I re-write the top part as just:

if (isset($_POST['ad']))

… dropping the htmlspecialchars() line?

Does bindValue mean we don’t need to use htmlspecialchars() any more? I’m redoing my code with PDO and need clarification on this point. Is htmlspecialchars() just used for echoing data?

Thanks!

cpradio · May 13, 2013, 4:39pm

You really never need to use htmlspecialchars when inserting into a database, you may need to use it when outputting content stored in the database. htmlspecialchars will prevent XSS (Cross Site Scripting) attacks, someone trying to inject malicious JavaScript or markup into your site.

So yes, you don’t need to call htmlspecialchars when inserting into your database, however, you may want to use it when outputting anything from your database. Therefore, if you want to limit your code changes, and since you have been running it through htmlspecialchars up to this point, you may as well keep that line before inserting your record (it really won’t harm anything).

Jeff_Mott · May 13, 2013, 4:44pm

htmlspecialchars is actually completely unrelated to anything SQL.

The gist is:

When using user provided content in SQL, then escape characters that are special to SQL (real_escape_string, prepare/bind).
When using user provided content in HTML, then escape characters that are special to HTML (htmlspecialchars).

So regardless if you escape for SQL with real_escape_string or prepare/bind, you don’t need htmlspecialchars.

EDIT: I’m too slow.

StevenHu · May 13, 2013, 5:09pm

Ooops. “ad” should be “rob”

StevenHu · May 13, 2013, 5:17pm

Thank you all!

StevenHu · May 13, 2013, 6:37pm

Well, this PHP/MySQL book is telling me to use htmlspecialchars when echoing from the table:

cpradio · May 13, 2013, 6:52pm

Yes, that is technically the only time you need to use htmlspecialchars.

However, in my prior response, I simply meant to say, since you were using it before inserting your data, you can continue to do that to keep your data in your database consistent and you will remain protected from XSS.

StevenHu · May 13, 2013, 7:46pm

Thanks again!

Topic		Replies	Views
Htmlspecialchars and mysql_real_escape_string PHP	11	11379	September 25, 2011
SQL code which prevents sql injection attacks PHP	8	726	November 19, 2022
Filtering user info or PDO does it all? PHP	6	607	October 8, 2014
Avoid php hackers from forms PHP	2	804	September 29, 2010
PDO - mysql_real_escape_string PHP	15	39446	October 8, 2014

Confused by PDO bindValue

Related topics