fixed html injection

threadr/board/board.php

@@ -5,20 +5,27 @@ $statement->execute(array("bid"=>$id));
 foreach($statement->fetchAll() as $ROW) {
   $statement = $pdo->prepare("SELECT * FROM users WHERE id=:uid");
   $statement->execute(array("uid"=>$ROW[user_id]));
-  $post_user = $statement->fetch();
-  echo "<section>";
-  echo "<h1>$ROW[title]</h1>";
-  echo "<article>";
-  echo "<header>";
-  echo "<div>";
-  echo "<p class='beige'>$post_user[name] <time datetime='$ROW[post_time]'>$ROW[post_time]</time></p>";
-  echo "</div>";
-  echo "</header>";
-  echo "<div class='postcontent'>";
-  echo "<p>$ROW[content]</p>";
-  echo "</div>";
-  echo "</article>";
-  echo "</section>";
+
+  $post_creator = $statement->fetch();
+
+  $post_title = htmlspecialchars($ROW['title']);
+  $post_creator_name = htmlspecialchars($post_creator['name']);
+  $post_time = htmlspecialchars($ROW['post_time']);
+  $post_content = htmlspecialchars($ROW['content']);
+
+  echo "<section>
+<h1>$post_title</h1>
+<article>
+<header>
+<div>
+<p class='beige'> $post_creator_name <time datetime='$post_time'>$post_time</time></p>
+</div>
+</header>
+<div class='postcontent'>
+<p>$post_content</p>
+</div>
+</article>
+</section>";
 }
 ?>