Second, when using htmlspecialchars I should use that on output, when echo-ing a result from the database and not for entering it. Also, this variable must be between tags, and not inside tags and it will be safe.
Am I getting it now?
Moderator: General Moderators
that question refers to security in general, then you probably still have lots to learn about. What you understood now will eliminate most of the security issues, but not all.spartan7 wrote:Am I getting it now?
Yeah. Sometimes I wonder why it is so hard for people to understand a simple principle: escape if you need to escape... otherwise, don't escape. If some data goes to a database, escape with mysql_real_escape_string() (or with some equivalent - or use prepared statements). Using it for other purposes will probably just corrupt data.zareef wrote:one basic note for the users who are planning to use mysql_real_escape_string on all type of input from users (like $_GET,$_POST), it handles the new line character in a different way ... all of your \n (new line character ) will be translated into the literal \n (slash N) which may create some problem in some situations like sending emails.