How do you guys stand between using mysql_real_escape_string as the only filter instead of combining it with htmlentities?
Does htmlentities add an additional security blanket or is it unnecessary and just adds the need to decode data back when sent to display?
htmlentities vs mysql_real_escape_string
Moderator: General Moderators
Re: htmlentities vs mysql_real_escape_string
Neither combine, nor choose only one.
Every escape function corresponds to one output mechanism. When you output data to a (my)SQL query - use mysql_real_escape_string. When you output data to HTML, use htmlentities (with proper arguments). Neither of them is a substitute for the other.
Every escape function corresponds to one output mechanism. When you output data to a (my)SQL query - use mysql_real_escape_string. When you output data to HTML, use htmlentities (with proper arguments). Neither of them is a substitute for the other.
Re: htmlentities vs mysql_real_escape_string
My problem with htmlentities is that you can't use it with multi-lingual text, as it turns unicode characters into unintelligible gibberish (their html entities representation). Anyone knows how to escape unicode text to avoid XSS attacks?
Re: htmlentities vs mysql_real_escape_string
Isn't the 3d parameter for htmlentities function used for specifying the encoding?
but character encoding is an area I always find confusing so hopefully someone who does know can give a more elaborate and better answer.
Code: Select all
echo htmlentities($str, ENT_QUOTES, 'UTF-8');
Re: htmlentities vs mysql_real_escape_string
-
Bruno De Barros
- Forum Commoner
- Posts: 82
- Joined: Mon May 12, 2008 8:41 am
- Location: Ireland
Re: htmlentities vs mysql_real_escape_string
Question:
When PHP 6 is released, completely UTF-8 compatible, does that mean I can make a website with UTF-8 encoded HTML, and a database with UTF-8 data, and everything will work properly?
When PHP 6 is released, completely UTF-8 compatible, does that mean I can make a website with UTF-8 encoded HTML, and a database with UTF-8 data, and everything will work properly?