$_POST and $_GET variables security without database

Question

If you were not using a database with your application, but you do 'echo' or use a $_POST or $_GET variable in your code, do we need to escape them?

Like:

if(isset($_GET['test']){
  echo $_GET['test'];
}

or

function math(){
if(isset($_GET['number'],$_GET['numberr']){
  return $_GET['number']*$_GET['numberr'];
}
return null;
}

Answer 1

Even if you use a database you need to escape or sanitize them before printing. Someone could sneak in stray HTML like <b> that will make your whole page bold, or <script>alert('hello');</script> that will run Javascript.

echo htmlspecialchars($_GET['test']);

This will replace all your < with < and > with > so that the HTML will be treated as text rather than HTML and will not mess up your page.