fixed html injection

threadr/board/board.php

@@ -5,20 +5,27 @@ $statement->execute(array("bid"=>$id));
 foreach($statement->fetchAll() as $ROW) {
   $statement = $pdo->prepare("SELECT * FROM users WHERE id=:uid");
   $statement->execute(array("uid"=>$ROW[user_id]));
-  $post_user = $statement->fetch();
+
-  echo "<section>";
+  $post_creator = $statement->fetch();
-  echo "<h1>$ROW[title]</h1>";
+
-  echo "<article>";
+  $post_title = htmlspecialchars($ROW['title']);
-  echo "<header>";
+  $post_creator_name = htmlspecialchars($post_creator['name']);
-  echo "<div>";
+  $post_time = htmlspecialchars($ROW['post_time']);
-  echo "<p class='beige'>$post_user[name] <time datetime='$ROW[post_time]'>$ROW[post_time]</time></p>";
+  $post_content = htmlspecialchars($ROW['content']);
-  echo "</div>";
+
-  echo "</header>";
+  echo "<section>
-  echo "<div class='postcontent'>";
+<h1>$post_title</h1>
-  echo "<p>$ROW[content]</p>";
+<article>
-  echo "</div>";
+<header>
-  echo "</article>";
+<div>
-  echo "</section>";
+<p class='beige'> $post_creator_name <time datetime='$post_time'>$post_time</time></p>
+</div>
+</header>
+<div class='postcontent'>
+<p>$post_content</p>
+</div>
+</article>
+</section>";
 }
 ?>