-1

If you use htmlspecialchars() when receiving input from the user, like:

$email = htmlspecialchars($_POST['email']);

Should you use a prepared statement if the query is just a SELECT one?

Rosamunda
  • 14,620
  • 10
  • 40
  • 70
  • 3
    Yes. Always. Next. – Strawberry Aug 07 '16 at 20:18
  • You are mixing apples and oranges. [`htmlspecialchars()`](http://php.net/manual/en/function.htmlspecialchars.php) has nothing to do with input. It is used to produce correct HTML output. MySQL and the prepared statements are also not related in any way with input, output or `htmlspecialchars()`. There are many reasons a prepared `SELECT` statement is better than a query constructed by joining strings (no matter where the strings come from). Avoiding [SQL injections](https://en.wikipedia.org/wiki/SQL_injection) is one of them (and probably the most important). – axiac Aug 07 '16 at 20:29

1 Answers1

0

You should always use prepared statements. Here's an exemple: if user inputs the following:

"105 or 1=1"

The htmlspecialchars() function won't do anything to it. The query would look like:

SELECT * FROM Users WHERE UserId = 105 or 1=1

See this doc

Ivan
  • 34,531
  • 8
  • 55
  • 100