My users are allowed to insert anything into my database.
So using a whitelist / blacklist of characters is not an option.
I'm not worried (covered it) about the database end (SQL injection), but rather code injection in my pages.
Are there any situations where htmlspecialchars() wouldn't be sufficient to prevent code injection?
Plain htmlspecialchars is not sufficient when inserting user text into single quoted attributes. You need to add ENT_QUOTES in that case and you need to pass the encoding.
<tag attr='<?php echo htmlspecialchars($usertext);?>'> //dangerous if ENT_QUOTES is not used
When inserting user text into javascript/json as string you'll need additional escaping.
I think it fails for stange character sets too. But if you use one of the usual charsets UTF-8, Latin1,... it will work as expected.
No, it's not sufficient in all situations. It highly depends on your codebase. For example, if you use JavaScript to make certain AJAX requests to a database, htmlspecialchars() will sometimes not be enough (depending where you use it). If you want to protect cookies from JavaScript XSS, htmlspecialchars() will also not be good enough.
Here are some examples of when htmlspecialchars() may fail: https://www.owasp.org/index.php/Interpreter_Injection#Why_htmlspecialchars_is_not_always_enough. Your question is also highly dependent on what database you're using (not everyone uses MySQL). If you're writing a complex applicaton I highly suggest using one of the many frameworks out there that abstract these annoying little idiosyncrasies and let you worry about the application code.
Using htmlspecialchars is sufficient when inserting inside HTML code. The way it encodes the characters makes it impossible for the resulting text to “break out” of the current element. That way it can neither create other elements, nor script segments etc.
However in all other situations, htmlspecialchars it not automatically enough. For example when you use it to insert code within some JavaScript area, for example when you fill a JavaScript string with it, you will need additional methods to make it safe. In that case addslashes could help.
So depending on where you insert the resulting text, htmlspecialchars gives you either enough security or not. As the function name already suggests, it just promises security for HTML.
htmlspecialchars will suffice. With < and > being converted to < and > you cannot include scripts anymore.
