Page 1 of 1

mysql_real_escape_string and htmlentities

Posted: Tue Mar 07, 2006 1:12 am
by s.dot
so I have this code

Code: Select all

$text = htmlentities($_POST['text'],ENT_QUOTES);
Is there a point in escaping that with mysql_real_escape_string?

Posted: Tue Mar 07, 2006 1:16 am
by Benjamin
I really don't know but I would just to be on the safe side.

Posted: Tue Mar 07, 2006 2:34 am
by matthijs
Depends on what you want to do with it.
Htmlentities is/should be used for escaping when you output a string as html.
Mysql_real_escape_string is/should be used for escaping data when you output it to a mysql database.
So those are 2 different things.

Posted: Tue Mar 07, 2006 3:25 am
by s.dot
well when inserting that into a database, all the quotes already look like ".... so there wouldn't be anything to escape?

Posted: Tue Mar 07, 2006 3:27 am
by feyd
There could be however some other characters to escape. To be safe, always use mysql_real_escape_string() .. it's not like it really "hurts" anything.

Posted: Tue Mar 07, 2006 3:29 am
by Benjamin
html entities and mysql_escape_string do 2 totally different things.

html entities would turn & into &

mysql_real_escape_string would turn ' into \' or " into \"

(might be / not sure but you need that in addition to html entities.

Posted: Tue Mar 07, 2006 3:54 am
by s.dot
agtlewis wrote:html entities and mysql_escape_string do 2 totally different things.

html entities would turn & into &

mysql_real_escape_string would turn ' into \' or " into "

(might be / not sure but you need that in addition to html entities.
htmlentities (given the proper paramerters) would also turn " into "
but feyd's right, I didn't think about escaping things besides quotes

I should've read the manually more carefully
PHP manual - mysql_real_escape_string wrote:mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.

Posted: Tue Mar 07, 2006 4:31 am
by matthijs
But besides what both do exactly, more important is what they are meant to do. In other words, in what situation you use which one. As I said before, mysql_real_escape_string when escaping for a db, htmlentities for escaping output to html. So you won't use both at the same time. The http://phpsec.org/php-security-guide.pdf explains it quite good.

Posted: Tue Mar 07, 2006 7:59 am
by s.dot
i don't have it confused.

I'm storing htmlentity'd text into the database =]

Posted: Tue Mar 07, 2006 10:47 am
by matthijs
ok, no offence :) didn't know you wanted to do that.

Posted: Tue Mar 07, 2006 8:43 pm
by s.dot
it's all good, i appreciate your input :-D

Posted: Thu Mar 09, 2006 2:53 am
by Maugrim_The_Reaper
Don't forget the htmlentities character encoding...;)