Skip to content
Advertisement

htmlspecialchars() on array of values fetch

Lets say I fetch data with PDO

$stmt = $this->dbh->prepare("SELECT * FROM posts");
    $stmt->execute();
    $result = $stmt->fetchAll();
    return $result;

How should I use htmlspecialchars() before displaying the results using echo on the view page? Is is ok to escape the array of results right after fetchall() or I should escape all results one by one in the view page?

If I were to use htmlspecialchars() right after fetch, would the following work?

$stmt = $this->dbh->prepare("SELECT * FROM posts");
    $stmt->execute();
    $result = $stmt->fetchAll();
    $results=  implode(',', $results);
    $results= htmlspecialchars($results);
    $results= explode(',', $results);
    return $results;

Advertisement

Answer

Disregarding whether your solution in the question actually works (it does not as Marc B pointed out), technically it doesn’t matter where you encode values as long as they are encoded before being written into the page. So it’s pretty much your design decision.

Let me note though that htmlspecialchars() is not the holy grail against XSS. It only protects you when output is written in an HTML context, but not when it’s written into Javascript for example.

Consider this:

...your html content...
<script type="text/javascript">
    var myvar = <?= myVar ?>;
</script>
...

In this case, calling htmlspecialchars() on myVar is not enough if it may contain user input. In the example above, you don’t actually need any special character to exploit XSS. The same applies to things like <div onclick="myFun('something', <?=myVar?>)"> — as it’s still a Javascript context, you need a different encoding.

A full tutorial on XSS does not fit (and I believe does not belong) in an answer here, just wanted to raise attention to the fact that HTML encoding is not always enough at all.

Having said that, applying htmlspecialchars() right after reading data from a database is I think wrong, because at that point you probably don’t care about where data will be used (what context it will be written into). It may also be a separation of concerns thing in your code.

So I would spare encoding data until it actually gets written into the page, because then you know what encoding to use.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement