For my simple application where I chose to write my own solution for blog comments, I'm doing these 3 steps:
1. Taking data from basic HTML form inputs via POST, then escaping the strings like this:
$komentar = htmlspecialchars($_POST['komentar'], ENT_QUOTES, 'UTF-8');
2. Using PDO for db insertion:
$stmt = $conn->prepare("INSERT INTO komentare (id, jmeno, komentar, clanek) VALUES (DEFAULT, ?, ?, ?)");
$stmt->bind_param("sss", $jmeno, $komentar, $clanek);
$stmt->execute();
$stmt->close();
$conn->close();
3. Listing the results back using plain SELECT and loop-echoing like this:
$sql = "SELECT jmeno, komentar FROM komentare WHERE clanek = '$clanek' ORDER BY id DESC";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
while($row = $result->fetch_assoc()) {
$zviratkoNum = rand(1,10);
$vypis_jmeno = $row["jmeno"];
$vypis_komentar = $row["komentar"];
echo "<div class='radek'><span class='jmeno zviratka-". $zviratkoNum ."'>". $vypis_jmeno. "</span><span class='komentar'>" . $row["komentar"] . "</span></div>";
}
} else {
echo "<h5>Zatím zde nejsou žádné komentáře</h5>";
}
$conn->close();
I thought it's a bad practice because while I escape the input (hopefully properly), I'm retrieving data back not escaped. But to my surprise, it get's echo'ed into DOM as a text (screenshot from my real test comment):
- Why?
- Is it bad practice?
Thanks in advance, Adam