Htmlspecialchars for this?

[Pok4]

Does it secure already or i must use htmspecialchars on $id = $httpRequest->getQuery('id'); for example? Like
htmlspecialchars($httpRequest->getQuery('id')) ;
I will pass get and POST variables into db queries.
I'm using pdo prepare. This is my question.. Its already everything secure to be passed in db or not?

[mabar]

Html context specific escaping should be done when you print data in html, because escaping is context specific. You wouldn't use data escaped for html in json and xml exports for example.

Also check how Latte escapes data, it's not as simple as just htmlspecialchars() https://blog.nette.org/en/quiz-can-you-defend-against-xss-vulnerability

Other types of vulnerabilities that make sense to check in http data of unknown type are handled well by nette/http.
And nette/database uses prepared statements the same way as PDO does for save SQL queries