I am not sure how I should use htmlPurifier, I don't want to slow the system down. And I want to strip everything out so my site cant get infected by XSS-injects when I later echo out the data that the user has posted. Also, I'm using bind_param() later to protect against SQL injections.
So should I use htmlPurifier like this:
$name = $_POST['name'];
$comment = $_POST['comment'];
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_name = $purifier->purify($name);
$clean_comment = $purifier->purify($comment);
Or should I use it like this:
$dirty_html = array('name' => $_POST['name'], 'comment' => $_POST['comment']);
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$clean_html = $purifier->purify($dirty_html);
Would both work as fast? And the main goal is to sanitize from XSS, it should only be left out as pure text so I later can echo out the data.
Only the first code snippet works. Even if the second snippet worked, it wouldn't have any performance difference.