voku
commented
1 year ago In a perfect world you do not to escape / clean html tags if you interact with sql. You need to use prepare statements or some kind of sql escaping (e.g. mysqli_real_escape_string). And only if you display your data, you need to escape the html tags.
But... sometimes it's hard to escape every variable that is displayed (especially if you do not use a template engine like twig) and then it maybe makes sense to use htmlspecialchars + anti-xss = https://github.com/voku/value_objects/blob/main/src/voku/value_objects/ValueObjectAntiXss.php
PS: you can use anti-xss without htmlspecialchars if you want to display the string as html / users will see e.g. a headline and not \<h1>
If I use this library on GET and POST requests, does i need to use and htmlspecialchars or no? Like htmspecialchars($this->antiXss($_GET['getid']))? I mostly pass this requests to sql queries.. Thanks.