Page 1 of 1
mysql_real_escape_string and htmlentities
Posted: Tue Mar 07, 2006 1:12 am
by s.dot
so I have this code
Code: Select all
$text = htmlentities($_POST['text'],ENT_QUOTES);
Is there a point in escaping that with mysql_real_escape_string?
Posted: Tue Mar 07, 2006 1:16 am
by Benjamin
I really don't know but I would just to be on the safe side.
Posted: Tue Mar 07, 2006 2:34 am
by matthijs
Depends on what you want to do with it.
Htmlentities is/should be used for escaping when you output a string as html.
Mysql_real_escape_string is/should be used for escaping data when you output it to a mysql database.
So those are 2 different things.
Posted: Tue Mar 07, 2006 3:25 am
by s.dot
well when inserting that into a database, all the quotes already look like ".... so there wouldn't be anything to escape?
Posted: Tue Mar 07, 2006 3:27 am
by feyd
There could be however some other characters to escape. To be safe, always use mysql_real_escape_string() .. it's not like it really "hurts" anything.
Posted: Tue Mar 07, 2006 3:29 am
by Benjamin
html entities and mysql_escape_string do 2 totally different things.
html entities would turn & into &
mysql_real_escape_string would turn ' into \' or " into \"
(might be / not sure but you need that in addition to html entities.
Posted: Tue Mar 07, 2006 3:54 am
by s.dot
agtlewis wrote:html entities and mysql_escape_string do 2 totally different things.
html entities would turn & into &
mysql_real_escape_string would turn ' into \' or " into "
(might be / not sure but you need that in addition to html entities.
htmlentities (given the proper paramerters) would also turn " into "
but feyd's right, I didn't think about escaping things besides quotes
I should've read the manually more carefully
PHP manual - mysql_real_escape_string wrote:mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Posted: Tue Mar 07, 2006 4:31 am
by matthijs
But besides what both do exactly, more important is what they are meant to do. In other words, in what situation you use which one. As I said before, mysql_real_escape_string when escaping for a db, htmlentities for escaping output to html. So you won't use both at the same time. The
http://phpsec.org/php-security-guide.pdf explains it quite good.
Posted: Tue Mar 07, 2006 7:59 am
by s.dot
i don't have it confused.
I'm storing htmlentity'd text into the database =]
Posted: Tue Mar 07, 2006 10:47 am
by matthijs
ok, no offence

didn't know you wanted to do that.
Posted: Tue Mar 07, 2006 8:43 pm
by s.dot
it's all good, i appreciate your input

Posted: Thu Mar 09, 2006 2:53 am
by Maugrim_The_Reaper
Don't forget the htmlentities character encoding...
