benanamen: benanamen: htmlspecialchars is an OUTPUT function ONLY

Not trying to beat a dead horse, but I agree. There’s that saying

Sanitize or validate on input, escape on output.

I don’t know why people put it that way, it should just be “validate on input, escape on output” since I rarely see people sanitize at all.

People tend to confuse this process a lot. It’s not really that complicated. When you validate, all you’re really doing is making sure the input has a set standard that you want. So for instance, a phone number. Do you think it’s appropriate to allow letters in your phone number? Not really. So that’s where you validate and make sure the structure of the input matches a legitimate phone number structure. If not, you give them an error message telling them to correct the input. You shouldn’t modify the users input at all. That’s why you let them do it themselves. That way, they know exactly what they put instead of guessing what they put.