mysql-real-escape string vs. htmlentities

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

mysql-real-escape string vs. htmlentities

Post by rhecker »

On a home made CMS where html code needs to be stored in the MySQL database, I discovered that mysql_real_escape_string did not always allow data to be uploaded. I therefore switched to using htmleitities like this:
$_POST[$key] = htmlentities($value, ENT_QUOTES, 'UTF-8');

As far as I am concerned, this is the right solution, but someone else is insisting that I am using htmlenties incorrectly and that mysql_real_escape_string is what should be used.

Can someone clarify this? Why ot use htmlentities this way?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: mysql-real-escape string vs. htmlentities

Post by Christopher »

They are for different things. mysql_real_escape_string() is to escape strings so they can be put in quotes for SQL statements. The danger is SQL injection attacks.

htmlentities() is used to ensure that strings do not contain valid HTML so that they can be displayed. The danger is things like cross-site scripting.
(#10850)
Post Reply