On a home made CMS where html code needs to be stored in the MySQL database, I discovered that mysql_real_escape_string did not always allow data to be uploaded. I therefore switched to using htmleitities like this:
$_POST[$key] = htmlentities($value, ENT_QUOTES, 'UTF-8');
As far as I am concerned, this is the right solution, but someone else is insisting that I am using htmlenties incorrectly and that mysql_real_escape_string is what should be used.
Can someone clarify this? Why ot use htmlentities this way?
mysql-real-escape string vs. htmlentities
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: mysql-real-escape string vs. htmlentities
They are for different things. mysql_real_escape_string() is to escape strings so they can be put in quotes for SQL statements. The danger is SQL injection attacks.
htmlentities() is used to ensure that strings do not contain valid HTML so that they can be displayed. The danger is things like cross-site scripting.
htmlentities() is used to ensure that strings do not contain valid HTML so that they can be displayed. The danger is things like cross-site scripting.
(#10850)