I am working on a web application where some data, stored in a database, is displayed in a div.
Since this data comes from the user, in order to prevent any javascript injection I want to use the htmlspecialchars() function for each single value extracted from the database before building my web page. I am using the following function to iterate through the arrays of data that I get from the database.
function filter(&$arr) {
foreach ($arr as $key => &$val) {
if (is_array($val)){
$this->filter($val);
}else{
$val=htmlspecialchars($val);
}
}
}
But when the array of data is processed by this function the integer values are converted in to string.
Is there a way to prevent this conversion?
I prefere to have the integer as integer because part of the data is elaborated by javascript and some part of the code does not work properly if data are supplied as string. I am looking for a generic solution that can be applied no matter what type of data comes from the database.