ChidoriSoul Posted February 22, 2010 Share Posted February 22, 2010 Just making some security for my site, and wondering which way is better, htmlspecialchars or mysql_real_escape_string, or both? Link to comment Share on other sites More sharing options...
Synook Posted February 22, 2010 Share Posted February 22, 2010 They are used for completely different things. htmlspecialchars() converts special HTML characters into entities so that they can be output without problems (or a risk of XSS), while mysql_real_escape_string() escapes sensitive SQL characters so interpolated queries can be performed without the risk of SQL injection. Link to comment Share on other sites More sharing options...
ChidoriSoul Posted February 22, 2010 Author Share Posted February 22, 2010 So the better way would to be to use both? Link to comment Share on other sites More sharing options...
Synook Posted February 22, 2010 Share Posted February 22, 2010 It depends on what your application is. If it doesn't involve databases, then there's no need to call mysql_real_escape_string(), similarly if the input needs to be in HTML then htmlspecialchars() would not be appropriate. However, if you are inserting untrusted content into a database that will in the future be output to a HTML page and you do not want said output's HTML code to be parsed, then you should modify the input with both. Note that it is more common (and generally better) to invoke htmlspecialchars() when output occurs. Link to comment Share on other sites More sharing options...
Redroest Posted February 22, 2010 Share Posted February 22, 2010 Simply said: real_escape_string is for making a legal query to INPUThtmlspecialchars is used for legal OUTPUT to your html/xhtml Link to comment Share on other sites More sharing options...
yoursanjay Posted February 22, 2010 Share Posted February 22, 2010 I have faced a problem with related to this topic for a long time. I have to insert content into mysql database and the content has the output in the HTMl format. I use both of the htmlspecialchars() and mysql_real_escape_string expression to provide security at the time of Data input.I have seen that if there is "", or ' in the content, the content can't be inserted otherwise it is ok. The same code some times go perfectly in the differerent server.I generally use like $x = htmlspecialchars($_REQUEST['content']);or $x = mysql_real_escape_string($_REQUEST['content']);or $x = htmlspecialchars(mysql_real_escape_string($_REQUEST['content']));My question: is the problem for server related while some times I didn't get any error in some servers and never in localhost.When I get the output in the HTML format, there I always find some junk data like 'rn' and every time can not render ' & " sign.Please Help. Link to comment Share on other sites More sharing options...
justsomeguy Posted February 23, 2010 Share Posted February 23, 2010 You're not checking to see whether or not you need to strip slashes. Some servers will automatically add slashes if the magic quotes option is set. You can check that option with this:http://www.php.net/manual/en/function.get-...-quotes-gpc.phpIf magic quotes is enabled, then you need to strip slashes from anything you get from $_GET, $_POST, or $_COOKIE. If you just use mysql_real_escape_string without checking to see whether magic quotes is enabled, then you'll end up escaping the already-escaped data. I use both of the htmlspecialchars() and mysql_real_escape_string expression to provide security at the time of Data input.Exactly what security do you think htmlspecialchars provides for data going into MySQL? Why do you use it for input? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.