htmlentities vs mysql_real_escape_string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

htmlentities vs mysql_real_escape_string

Post by Eran »

How do you guys stand between using mysql_real_escape_string as the only filter instead of combining it with htmlentities?
Does htmlentities add an additional security blanket or is it unnecessary and just adds the need to decode data back when sent to display?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: htmlentities vs mysql_real_escape_string

Post by Mordred »

Neither combine, nor choose only one.
Every escape function corresponds to one output mechanism. When you output data to a (my)SQL query - use mysql_real_escape_string. When you output data to HTML, use htmlentities (with proper arguments). Neither of them is a substitute for the other.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: htmlentities vs mysql_real_escape_string

Post by Eran »

My problem with htmlentities is that you can't use it with multi-lingual text, as it turns unicode characters into unintelligible gibberish (their html entities representation). Anyone knows how to escape unicode text to avoid XSS attacks?
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: htmlentities vs mysql_real_escape_string

Post by matthijs »

Isn't the 3d parameter for htmlentities function used for specifying the encoding?

Code: Select all

 
echo htmlentities($str, ENT_QUOTES, 'UTF-8');
 
but character encoding is an area I always find confusing so hopefully someone who does know can give a more elaborate and better answer.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: htmlentities vs mysql_real_escape_string

Post by Eran »

:? I actually knew about this and thought thats what I was using, but apparently I had data automatically filtered using ISO encoding through the use of the Zend_Filter_Input component... woe is me
Bruno De Barros
Forum Commoner
Posts: 82
Joined: Mon May 12, 2008 8:41 am
Location: Ireland

Re: htmlentities vs mysql_real_escape_string

Post by Bruno De Barros »

Question:
When PHP 6 is released, completely UTF-8 compatible, does that mean I can make a website with UTF-8 encoded HTML, and a database with UTF-8 data, and everything will work properly?
Post Reply