PHP
Secure Input Handling: Escape HTML & Sanitize for Database
Learn to prevent XSS and SQL injection by properly escaping HTML output and sanitizing user inputs using prepared statements in PHP, enhancing web application security.
<?php
// Function to escape HTML special characters for output (XSS prevention)
function escape_html(string $data): string {
return htmlspecialchars($data, ENT_QUOTES | ENT_HTML5, 'UTF-8');
}
// Example of using prepared statements for database interaction (SQLi prevention)
function get_user_data(PDO $pdo, int $user_id): ?array {
$stmt = $pdo->prepare("SELECT username, email FROM users WHERE id = :id");
$stmt->bindParam(':id', $user_id, PDO::PARAM_INT);
$stmt->execute();
return $stmt->fetch(PDO::FETCH_ASSOC) ?: null;
}
// Usage example:
// Assuming $pdo is an initialized PDO object
// $username = "<script>alert('XSS!');</script>";
// echo "Welcome, " . escape_html($username);
// $userId = 1;
// $userData = get_user_data($pdo, $userId);
// if ($userData) {
// echo "Username: " . escape_html($userData['username']) . ", Email: " . escape_html($userData['email']);
// }
?>
How it works: This snippet demonstrates two crucial security practices. `escape_html` prevents Cross-Site Scripting (XSS) by converting special characters (like `<`, `>`, `&`) into their HTML entities, making user-supplied data safe to display in a browser. The `get_user_data` function showcases the use of PDO prepared statements, which are essential for preventing SQL Injection attacks. By binding parameters, user input is treated as data, not executable SQL code, significantly increasing database query security.