I was wondering, whats the best practice on the example below.
<?php
if(isset($_POST['query'])){
$out = $_POST['query'];
}
?>
<div><?php echo $out; ?></div>
<input type="text" value="<?php echo $out; ?>" />
Using the above code would this pose a threat to website. Or would I need to prepare the output before using it as above. By prepare I mean encode it or escape special characters.
I am aware you need to escape it and validate inputs for db use, how about for outputting it?
Yes, since you’re putting it out into HTML you should use encode HTML’s special characters appropriately with htmlspecialchars:
if (isset($_POST['query'])) {
$out = htmlspecialchars($_POST['query']);
}
Besides that, $out is only defined when $_POST['query'] exists; you should think about having a default value if $_POST['query'] does not exist. Because otherwise, when register globals are enabled (that alone is a bad idea) you could set that variable via the URL query string with ?out=….
Yes, you should be using the php function htmlspecialchars http://php.net/manual/en/function.htmlspecialchars.php
also, see this (accepted answer)
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?
dont know about best practise and that depend on the coder i like turnary
echo (isset($_POST['query']))? htmlspecialchars($_POST['query']):"";
