9.2. Escape Output

The other side of the coin in web data security is preparing your information to be sent out to one of two destinations (generally): to the web browser as display output or to a database as storage output (to a database engine). It is a common mistake to think that because the data is yours and you filtered it when you received it, it is free from error and therefore will be just fine to send as output. Remember the caveat that is the security mantra: never completely trust your data, even if it is yours. In other words, “better safe than sorry.”

So the first area of output that we will look at is sending data to a browser. Remember, PHP is basically an HTML generator: the actual code that shows on the user’s browser when you display the source is raw HTML. To help PHP turn out proper HTML, we can use the htmlspecialchars function. This function turns relevant data into its respective HTML equivalent, thus rendering it as raw output rather than actionable HTML code. Here is an example: