Should I escape more than quotes and single quotes?
Moderator: General Moderators
Should I escape more than quotes and single quotes?
I have a review/comments script which stores info into a db. I escape those entries with the standard mysq_escape_string.
Is it good practice to also escape left and right brackets to prevent html injection?
I noticed I could inject html, but couldn't seem to inject a PHP echo statement.
Is it good practice to also escape left and right brackets to prevent html injection?
I noticed I could inject html, but couldn't seem to inject a PHP echo statement.
...
You should use mysql_real_escape string.
It is the same as mysql_escape_string, with the exception that the character set is taken into consideration when escaping special characters. So, mysql_real_escape string would provide you with international string escaping.
Also, as mentioned above you could use htmlentities to prevent it from being read by the browser.
Or, you could use htmlspecialchars to allow these special markings, and have them inserted into the database as their HTML entity.
However if you need all special characters to be converted, it's reccommended that you go with htmlentities() because this will translate all special characters into their entities. Then use eval() to print back to the browser.
Or, if you don't want any HTML at all to be passed to the database use strip_tags().
It is the same as mysql_escape_string, with the exception that the character set is taken into consideration when escaping special characters. So, mysql_real_escape string would provide you with international string escaping.
Also, as mentioned above you could use htmlentities to prevent it from being read by the browser.
Or, you could use htmlspecialchars to allow these special markings, and have them inserted into the database as their HTML entity.
However if you need all special characters to be converted, it's reccommended that you go with htmlentities() because this will translate all special characters into their entities. Then use eval() to print back to the browser.
Or, if you don't want any HTML at all to be passed to the database use strip_tags().