htmlspecialchars
可以使用htmlentities
或mysqli_stmt_bind_result
吗?
mysqli_stmt_bind_result($stmt,htmlspecialchars($var1));
或者更好......如果我已经使用htmlspecialchars
来回显表单值,那么在输出到页面之前插入已验证的值将无需再次在htmlspecialchars
中使用mysqli_stmt_bind_param
?
//if passes input validation from form...//
$var1 = htmlentities($_POST['var1']);
//in prepared statement, binding value to be used in page...//
mysqli_stmt_bind_param($stmt,"s",$var1);