Code -
$price = mysqli_real_escape_string($connect,trim($results['price']));
price is retrieved from the database, and then echoed using -
echo $price;
Question - Is this safe enough from XSS or SQL Injection? It simply includes numbers.
Thanks
The checking should probably be done during data input, but you could be safe and also check at output. I would just use is_numeric or something similar to ensure that the output is, indeed, a number.
Standard practice is to use htmlspecialchars() or htmlentities() to escape output to the browser for protection against XSS. However as mentioned in another answer, the real issue is whether correct data was stored in the database in the first place. It should be properly validated and escaped before storage in the database.
To be safe you need to asses if the input for $results['price'] from user input.
If it is you need to strongly validate/sanitize it as an expected value before sending it to SQL.
If your data is only read from the db you can ignore using mysqli_real_escape_string(). It's valuable for escaping user input which should be written to the db.
mysqli_real_escape_string() is used to escape data about to be inserted IN the database, to prevent SQL Injection. It has nothing to do with XSS.
You have to use htmlentities() to do what you want to do. I suggest you to read eykanal answer and use is_numeric to validate.
