Security Announcement
Understand how to secure PHP form input by using output escaping to prevent JavaScript injection attacks. Learn why echoing user-supplied data without escaping is dangerous and how htmlspecialchars safeguards your application by converting special characters to safe HTML entities. This lesson helps you build safer PHP web applications by applying essential security measures when displaying user data.
We'll cover the following...
We'll cover the following...
Never echo without any safety precautions
Using echo without any safety precautions is a dangerous thing to do.
Try this: Run the code below, and open the application in a new tab. In the number field, fill in 4" onclick="alert('Hellooooo').
Now submit the form.
Nothing looks off, and the number 4 still shows up in the form field.
Now, click on the number ... ...