htmlspecialchars可以使用htmlentities或mysqli_stmt_bind_result吗?
mysqli_stmt_bind_result($stmt,htmlspecialchars($var1));
或者更好......如果我已经使用htmlspecialchars来回显表单值,那么在输出到页面之前插入已验证的值将无需再次在htmlspecialchars中使用mysqli_stmt_bind_param ?
//if passes input validation from form...//
$var1 = htmlentities($_POST['var1']);
//in prepared statement, binding value to be used in page...//
mysqli_stmt_bind_param($stmt,"s",$var1);