Using htmlspecialchars() in php/html the correct and professional way

Question

I would like to know the correct way to use htmlspecialchars()

I have been reading about it and looking at what examples I can find but I guess its just not registering because I have not been able to apply it my self in my own working example.

Could someone show me how to implement htmlspecialchars() and any other appropriate configuration to make this statement secure and what would be considered professional.

       <h3>Recent Post</h3>
             <?php
                $stmt = $con->query('SELECT * FROM blogData ORDER BY id DESC');
                    while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
                        $title = $row['title'];
                        $content = $row['content'];
                        $category = $row['category']; 

             ?>
            <div class="features">
                <div class="box"><img src="Developer/common-files/icons/time@2x.png" width="100" height="100" alt="Wuno Inc.">       
                     <h6><?php echo $category; ?> - <?php echo $title; ?></h6>
                     <p><?php echo $content; ?></p>
                </div>
            </div>
              <?php
              }
              ?>
    </div>

Is this how it should be done? Or what more could I do to this.

  <h3>Recent Post</h3>
                 <?php
                    $stmt = $con->query('SELECT * FROM blogData ORDER BY id DESC');
                        while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
                            $title = $row['title'];
                            $content = $row['content'];
                            $category = $row['category']; 

                 ?>
                <div class="features">
                    <div class="box"><img src="Developer/common-files/icons/time@2x.png" width="100" height="100" alt="Wuno Inc.">       
                         <h6><?php echo htmlspecialchars($category); ?> - <?php echo htmlspecialchars($title); ?></h6>
                         <p><?php echo htmlspecialchars($content); ?></p>
                    </div>
                </div>
                  <?php
                  }
                  ?>

What you have is generally considered acceptable. There are some caveats: http://stackoverflow.com/a/110576/362536 The best thing to do is not echo data into HTML at all and use a template engine, letting the template engine do all the appropriate escaping for you. Smarty is a common choice for PHP and is easy to jump into. — Brad, Jun 06 '14 at 20:22
Basically you use `htmlspecialchars()` for sending output to the browser that you do not want interpreted as HTML. It is best used in situations where you may have characters in your text that mean something in HTML (e.g. `<` and `>`) and you want those characters converted to entities so that the browser doesn't treat it like HTML. — Crackertastic, Jun 06 '14 at 20:23
Right on thanks. So any time you echo something that gets interpreted as HTML this could open you up for SQL injection? — wuno, Jun 06 '14 at 20:26
Not SQL injection. XSS injection. SQL is what you had in the query, and injecting that would be if you had user-input being put directly into your query. To stop SQL injection you would have to parameterize (mysqli_* functions or PDO_*) your input, or sanitize (`mysql_real_escape_string`) it. — nl-x, Jun 06 '14 at 20:27
SQL injection occurs when you have input coming from the user and you don't properly sanitize your strings. Prepared statements help to prevent that. What you are thinking about is XSS attack/injection. — Crackertastic, Jun 06 '14 at 20:28

score 1 · Accepted Answer · answered Jun 06 '14 at 20:25

Yes, that is how it should be done. But you could also put it in the code above. Like

$title = htmlspecialchars($row['title']);
$content = htmlspecialchars($row['content']);
$category = htmlspecialchars($row['category']);

This way the variables used between your HTML stay short and readable.

Using htmlspecialchars() in php/html the correct and professional way

1 Answers1