Your current implementation is correct. If you don't use htmlspecialchars
, you're susceptible to this potential scenario:
http://mydomain.com/enquiry.php/"><script>alert('hacked')</script>
All you're missing in your scenario is the ">
to break out of the current tag.
What htmlspecialchars does is escape the potentially-malicious string so that it cannot be interpreted as raw HTML.