I have a PHP web service which returns data in JSON format. I have a custom backend to maintain the data. When I save a record via the backend I use htmlspecialchars() on string fields.
An example web service call would run this code:
$dbh = getConnection('read');
$sql = "SELECT Name, Location FROM Venues WHERE id = :venueID";
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':venueID' => $venue));
$data = $sth->fetchAll(PDO::FETCH_ASSOC);
header("Content-type: application/json");
print(json_encode(array('venues'=>$data)));
So lets assume that for the provided venue ID the name has a & in it. The web service is called by an Android application so in the application it is displayed as a & and not &
Questions:
- Do I tweak the custom backend to not use htmlspecialchars? I am the only admin so the data going in is safe
- Is there a way to run htmlspecialchars_decode on the resultset without looping through the results before I print the JSON?