I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>
" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test
is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test';
but it just comes out as "$test"
instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars();
function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?