I'm using Flex 3 with remoting to return data from a MySQL database. Do I need to use htmlspecialchars in order to keep my site secure?
As I understand it, htmlspecialchars is used to "sanitize" data returned from the db. For example:
$query = "SELECT latitude, longitude FROM myTable WHERE type = '$type'";
$result = mysql_query($query);
$ret = array();
while ($row = mysql_fetch_object($result)) {
$tmp = new VOmyData();
$tmp->latitude = $row->latitude;
$tmp->longitude = $row->longitude;
$ret[] = $tmp;
}
mysql_free_result($result);
return $ret;
How do I use it in the case above?
return htmlspecialchars($ret);
or do I write:
$result = htmlspecialchars($result);
or somtheing else?
htmlspecialchars() is used to sanitize user-supplied input if you're echoing it back to the user, in order to prevent against Cross-Site Scripting (XSS). Additionally, if your DB is storing HTML-formatted strings, and you want to display it to the user (as opposed to having it be interpreted by their browser as HTML), then use htmlspecialchars().
In your case, if the output is just numbers, it's not really necessary.