Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Diogo Gomes
Diogo Gomes
7,054 Points

Enhancing a simple php application - Paginating a List: Model and View

Hi Randy,

First of all: thanks for both PHP courses, i've learned a lot.

Just a quick question, on the shirts.php final verstion we have this line of code: $current_page = $_GET["pg"];

Shouldn't if be: $current_page = htmlspecialchars($_GET["pg"]);

Shouldn't we always use htmlspecialchars() with get variables?

Cheers, Diogo Gomes

1 Answer

Randy Hoyt
STAFF
Randy Hoyt
Treehouse Guest Teacher
Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher

Good question! With htmlspecialchars, we are trying to escape the variable value so that we can display it on a web page. It's a better practice to use htmlspecialchars when you actually echo out the value in view code, not when you work with it in controller or model code. Imagine the following scenario. In your controller code, you would do this:

// controller code
$name = $_GET["name"];

Then you would escape display the name in your view code:

// view code
echo htmlspecialchars($name);

Because we want to escape it for display, it makes sense to do it right when we display it. There are two reasons this is a better approach.

  1. When writing view code, you will never assume that a value has already been escaped somewhere else. Always escape a value right when you display it.
  2. To make that you don't escape something in your controller and in your view, only escape the value with htmlspecialchars when you are displaying it.

In this example, we are never echoing out the value of the variable.

Does that make sense?

Diogo Gomes
Diogo Gomes
7,054 Points

Thanks Randy,

Yes, it does. Usually I escape it when I get the variable, because I'm always concern about security issues and usually I will use that variable in a sql query.

On this case, you use "intval" after getting the variable, and there's no sql query with that variable, so there's no security problem. Right?

Thanks again for your answer and your videos, looking forward for the next ones Diogo Gomes

Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher
Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher

There are two concepts you'll often hear together: filter input and escape output. Filtering input is what you do when you get a variable, and you want to filter out any invalid data. Using intval here is doing precisely that; we are expecting an integer, so we use the intval function to get rid of any invalid data. That's where you have to be careful about SQL queries; you want to filter the input so that the values you use in calculations and SQL queries are what you expect them to be.

The other concept is escaping output. This is when you take valid data and escape it so that it displays correctly in a given context. Using htmlspecialchars is escaping output right before you display it in an HTML page. (If you were displaying data in an Android app or inserting it into a database, you wouldn't have to escape it for HTML.) In plenty of form fields, HTML is perfectly valid -- like this textarea I'm typing in right now. You wouldn't want to use htmlspecialchars to filter the input because the HTML is valid, and you'd want to store it in the database unescaped. You'd want to use htmlspecialchars to escape it right before you output it in a web page.

Does that make sense?

Diogo Gomes
Diogo Gomes
7,054 Points

Hi Randy,

Sorry for the long delay on this answer. Yes, that's makes perfect sense.

Can you please just confirm me this: I need to get an int value from a GET var, and use it to make SQL queries. Using intval on that GET var is enough in terms of security, or should I do something else?

Thank you very much, Diogo Gomes

Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher
Randy Hoyt
Randy Hoyt
Treehouse Guest Teacher

Using intval will properly filter the input to make sure that it is integer. (It will convert almost every strings to a 0 integer value.) There's one other thing you should do: prepare the statement. Here's a Stack Overflow question; the answer walks through how to do it:

If you are using mysql_connect instead of PDO, then I would recommend switching to PDO.

Diogo Gomes
Diogo Gomes
7,054 Points

Thanks Randy,

Yes, I've already started to use PDO. Thanks for all the help.

Cheers, Diogo