Good Code
The good version uses a small escaping helper for text rendered into HTML, including quotes and invalid byte substitution.
Lesson 03
Escape untrusted values when rendering HTML so user content cannot become markup or script.
<?php declare(strict_types=1);
// Escape text before it becomes HTML output.
function e(string $value): string
{
return htmlspecialchars($value, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');
}
?>
<h1><?= e($user['name']) ?></h1>
<p><?= e($user['bio']) ?></p><?php
// Direct output treats user content as trusted HTML.
?>
<h1><?= $user['name'] ?></h1>
<p><?= $_GET['bio'] ?></p>The good version uses a small escaping helper for text rendered into HTML, including quotes and invalid byte substitution.
The bad version outputs database and request values directly. If those values contain HTML, the template will treat them as markup.