Page 1 of 1

mysql-real-escape string vs. htmlentities

Posted: Sat May 28, 2011 1:41 pm
by rhecker
On a home made CMS where html code needs to be stored in the MySQL database, I discovered that mysql_real_escape_string did not always allow data to be uploaded. I therefore switched to using htmleitities like this:
$_POST[$key] = htmlentities($value, ENT_QUOTES, 'UTF-8');

As far as I am concerned, this is the right solution, but someone else is insisting that I am using htmlenties incorrectly and that mysql_real_escape_string is what should be used.

Can someone clarify this? Why ot use htmlentities this way?

Re: mysql-real-escape string vs. htmlentities

Posted: Sat May 28, 2011 10:37 pm
by Christopher
They are for different things. mysql_real_escape_string() is to escape strings so they can be put in quotes for SQL statements. The danger is SQL injection attacks.

htmlentities() is used to ensure that strings do not contain valid HTML so that they can be displayed. The danger is things like cross-site scripting.