为什么我不必再次在SELECT上重新获取表单数据?

For my simple application where I chose to write my own solution for blog comments, I'm doing these 3 steps:

1. Taking data from basic HTML form inputs via POST, then escaping the strings like this:

$komentar = htmlspecialchars($_POST['komentar'], ENT_QUOTES, 'UTF-8');

2. Using PDO for db insertion:

$stmt = $conn->prepare("INSERT INTO komentare (id, jmeno, komentar, clanek) VALUES (DEFAULT, ?, ?, ?)");
    $stmt->bind_param("sss", $jmeno, $komentar, $clanek);
    $stmt->execute();
    $stmt->close();
    $conn->close();

3. Listing the results back using plain SELECT and loop-echoing like this:

$sql = "SELECT jmeno, komentar FROM komentare WHERE clanek = '$clanek' ORDER BY id DESC";
  $result = $conn->query($sql);
  if ($result->num_rows > 0) {
      while($row = $result->fetch_assoc()) {
          $zviratkoNum = rand(1,10);
          $vypis_jmeno = $row["jmeno"];
          $vypis_komentar = $row["komentar"];
          echo "<div class='radek'><span class='jmeno zviratka-". $zviratkoNum ."'>". $vypis_jmeno. "</span><span class='komentar'>" . $row["komentar"] . "</span></div>";
      }
  } else {
      echo "<h5>Zatím zde nejsou žádné komentáře</h5>";
  }
  $conn->close();

I thought it's a bad practice because while I escape the input (hopefully properly), I'm retrieving data back not escaped. But to my surprise, it get's echo'ed into DOM as a text (screenshot from my real test comment):

enter image description here

  1. Why?
  2. Is it bad practice?

Thanks in advance, Adam

htmlspecialchars converts a string of text into a format suitable for inserting into an HTML document.

A database is not an HTML document. Characters with special meaning in HTML (such as &) generally have no special meaning in a database.

So you are:

  1. Taking text and converting it to HTML source code
  2. Taking HTML source code and putting it in a database
  3. Taking HTML source code out of the database and converting it to HTML source code (so it is *double) encoded and gives you the HTML that will display HTML source code)
  4. Putting that into an HTML document

When escaping data, do so just before you put it in the data format you are escaping it for.

Don't convert to HTML before putting it into the database. Do that only before you put it into the HTML document.

It is meant to be this way. You escape the input properly so that the original value can be stored.

Filtering the actual html input from 'bad code' like <script> is another excercise.

Take Stackoverflow as an example; raw html just isn't allowed to be shown as such. The output is also put through a 'htmlspecialchars' function to display the user input as is.

When you want the users to be able to use html, it's better to use Markdown or you will have to filter 'bad' html with advanced find and replacement techniques.

Use markdown and strip_tags together!