Page 1 of 1
Is it true that...
Posted: Sat Feb 18, 2006 1:38 pm
by seodevhead
Is it true that all inputted data from a web form should be filtered FIRST then escaped LAST? Should mysql_real_escape_string be the LAST thing you do before sending it to the DB? thanks!
Posted: Sat Feb 18, 2006 1:41 pm
by josh
generally, it can depend though. Post code
Posted: Sat Feb 18, 2006 2:09 pm
by John Cartwright
I would say, Yes.
If the answer is no, then you've designed it wrong.
Posted: Sat Feb 18, 2006 2:26 pm
by seodevhead
Do you guys ever use functions such as htmlentities on a string before sending to the Database? Or do you use the htmlentities() only when outputting to the client? Can you do both???
Posted: Sat Feb 18, 2006 2:33 pm
by John Cartwright
mysql_real_escape_string() when inputting into the database
htmlspecialchars() when outputting onto a page
Posted: Sat Feb 18, 2006 2:48 pm
by seodevhead
Is there a particular reason you choose to use htmlspecialchars() as opposed to the more exhaustive htmlentities()? I am in the process of hardening some scripts I have been writing and thought I would use htmlentities(), but would like to hear if there are any disadvantages to it. Thanks!
Posted: Sat Feb 18, 2006 3:02 pm
by John Cartwright
http://ca3.php.net/manual/en/function.htmlentities.php

"This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities."