Is it true that...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Is it true that...

Post by seodevhead »

Is it true that all inputted data from a web form should be filtered FIRST then escaped LAST? Should mysql_real_escape_string be the LAST thing you do before sending it to the DB? thanks!
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

generally, it can depend though. Post code
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I would say, Yes.

If the answer is no, then you've designed it wrong.
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Do you guys ever use functions such as htmlentities on a string before sending to the Database? Or do you use the htmlentities() only when outputting to the client? Can you do both???
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

mysql_real_escape_string() when inputting into the database
htmlspecialchars() when outputting onto a page
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

Is there a particular reason you choose to use htmlspecialchars() as opposed to the more exhaustive htmlentities()? I am in the process of hardening some scripts I have been writing and thought I would use htmlentities(), but would like to hear if there are any disadvantages to it. Thanks!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

http://ca3.php.net/manual/en/function.htmlentities.php

:arrow: "This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities."
Post Reply