在mysqli_stmt_bind_result()中使用htmlspecialchars

时间:2014-09-01 21:43:44

标签: mysqli prepared-statement xss

htmlspecialchars可以使用htmlentitiesmysqli_stmt_bind_result吗?

mysqli_stmt_bind_result($stmt,htmlspecialchars($var1));

或者更好......如果我已经使用htmlspecialchars来回显表单值,那么在输出到页面之前插入已验证的值将无需再次在htmlspecialchars中使用mysqli_stmt_bind_param

//if passes input validation from form...//
  $var1 = htmlentities($_POST['var1']);

//in prepared statement, binding value to be used in page...//
mysqli_stmt_bind_param($stmt,"s",$var1);

0 个答案:

没有答案