Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Is there a point in escaping that with mysql_real_escape_string?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Depends on what you want to do with it.
Htmlentities is/should be used for escaping when you output a string as html.
Mysql_real_escape_string is/should be used for escaping data when you output it to a mysql database.
So those are 2 different things.
well when inserting that into a database, all the quotes already look like ".... so there wouldn't be anything to escape?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
agtlewis wrote:html entities and mysql_escape_string do 2 totally different things.
html entities would turn & into &
mysql_real_escape_string would turn ' into \' or " into "
(might be / not sure but you need that in addition to html entities.
htmlentities (given the proper paramerters) would also turn " into "
but feyd's right, I didn't think about escaping things besides quotes
I should've read the manually more carefully
PHP manual - mysql_real_escape_string wrote:mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
But besides what both do exactly, more important is what they are meant to do. In other words, in what situation you use which one. As I said before, mysql_real_escape_string when escaping for a db, htmlentities for escaping output to html. So you won't use both at the same time. The http://phpsec.org/php-security-guide.pdf explains it quite good.
I'm storing htmlentity'd text into the database =]
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.