Titanium Posted January 6, 2008 Share Posted January 6, 2008 What's the difference between htmlentities and mysql_real_escape_string? I know they both prevent a user from entering data that could be a danger to your site, but how would you know which one to use?I've got a form that allows a person to contact me. $name=$_POST['name'];$email=$_POST['email'];$subject=$_POST['subject'];$comments=$_POST['comments'];$to="user@address.com";if (mail($to,"Email subject: $subject",$message,"From: $email\n")) {echo "Email sent";}else {echo "Email not sent";} And then on my html page would be the input fields and submit button. So would I use htmlentities or mysql_real_escape_string in a case like that? Link to comment Share on other sites More sharing options...
Ingolme Posted January 6, 2008 Share Posted January 6, 2008 mysql_real_escape_string prevents people from modifying SQL queries, while HTML entities prevents people from modifying the displayed HTML page. Link to comment Share on other sites More sharing options...
Titanium Posted January 6, 2008 Author Share Posted January 6, 2008 I see. So htmlentities such as $name = htmlentities($_POST['name']); would be best for this situation then. Link to comment Share on other sites More sharing options...
zppblood Posted January 6, 2008 Share Posted January 6, 2008 Like Ingolme said, when you use MySQL code, use mysql_real_escape_string(), and if you are outputting something in the browser use htmlentities() so they can't add their own HTML, scripting languages (Javascript, VBScript), ActiveX, Flash (with use of Actionscript), etc. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.