Jump to content
ChidoriSoul

Htmlspecialchars Or Mysql_real_escape_string

Recommended Posts

They are used for completely different things. htmlspecialchars() converts special HTML characters into entities so that they can be output without problems (or a risk of XSS), while mysql_real_escape_string() escapes sensitive SQL characters so interpolated queries can be performed without the risk of SQL injection.

Share this post


Link to post
Share on other sites

It depends on what your application is. If it doesn't involve databases, then there's no need to call mysql_real_escape_string(), similarly if the input needs to be in HTML then htmlspecialchars() would not be appropriate. However, if you are inserting untrusted content into a database that will in the future be output to a HTML page and you do not want said output's HTML code to be parsed, then you should modify the input with both. Note that it is more common (and generally better) to invoke htmlspecialchars() when output occurs.

Share this post


Link to post
Share on other sites

I have faced a problem with related to this topic for a long time. I have to insert content into mysql database and the content has the output in the HTMl format. I use both of the htmlspecialchars() and mysql_real_escape_string expression to provide security at the time of Data input.I have seen that if there is "", or ' in the content, the content can't be inserted otherwise it is ok. The same code some times go perfectly in the differerent server.I generally use like $x = htmlspecialchars($_REQUEST['content']);or $x = mysql_real_escape_string($_REQUEST['content']);or $x = htmlspecialchars(mysql_real_escape_string($_REQUEST['content']));My question: is the problem for server related while some times I didn't get any error in some servers and never in localhost.When I get the output in the HTML format, there I always find some junk data like 'rn' and every time can not render ' & " sign.Please Help.

Share this post


Link to post
Share on other sites

You're not checking to see whether or not you need to strip slashes. Some servers will automatically add slashes if the magic quotes option is set. You can check that option with this:http://www.php.net/manual/en/function.get-...-quotes-gpc.phpIf magic quotes is enabled, then you need to strip slashes from anything you get from $_GET, $_POST, or $_COOKIE. If you just use mysql_real_escape_string without checking to see whether magic quotes is enabled, then you'll end up escaping the already-escaped data.

I use both of the htmlspecialchars() and mysql_real_escape_string expression to provide security at the time of Data input.
Exactly what security do you think htmlspecialchars provides for data going into MySQL? Why do you use it for input?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...