A user submits a search query to my site.
I then take this query and use it in other places, as well as echo’ing it back out to the page.
Right now I’m using
htmlspecialchars(); to filter it.
What other steps should I take to prevent XSS, SQL Injection, etc, and things I can’t even think of. I want to have all my bases covered.
<?php $query = $_GET("query"); $query = htmlspecialchars($query); ?>