Page 1 of 1
htmlentities vs mysql_real_escape_string
Posted: Sun May 25, 2008 6:59 pm
by Eran
How do you guys stand between using mysql_real_escape_string as the only filter instead of combining it with htmlentities?
Does htmlentities add an additional security blanket or is it unnecessary and just adds the need to decode data back when sent to display?
Re: htmlentities vs mysql_real_escape_string
Posted: Mon May 26, 2008 1:34 am
by Mordred
Neither combine, nor choose only one.
Every escape function corresponds to one output mechanism. When you output data to a (my)SQL query - use mysql_real_escape_string. When you output data to HTML, use htmlentities (with proper arguments). Neither of them is a substitute for the other.
Re: htmlentities vs mysql_real_escape_string
Posted: Mon May 26, 2008 3:23 am
by Eran
My problem with htmlentities is that you can't use it with multi-lingual text, as it turns unicode characters into unintelligible gibberish (their html entities representation). Anyone knows how to escape unicode text to avoid XSS attacks?
Re: htmlentities vs mysql_real_escape_string
Posted: Mon May 26, 2008 4:12 am
by matthijs
Isn't the 3d parameter for htmlentities function used for specifying the encoding?
Code: Select all
echo htmlentities($str, ENT_QUOTES, 'UTF-8');
but character encoding is an area I always find confusing so hopefully someone who does know can give a more elaborate and better answer.
Re: htmlentities vs mysql_real_escape_string
Posted: Mon May 26, 2008 5:15 am
by Eran

I actually knew about this and thought thats what I was using, but apparently I had data automatically filtered using ISO encoding through the use of the Zend_Filter_Input component... woe is me
Re: htmlentities vs mysql_real_escape_string
Posted: Mon May 26, 2008 5:28 am
by Bruno De Barros
Question:
When PHP 6 is released, completely UTF-8 compatible, does that mean I can make a website with UTF-8 encoded HTML, and a database with UTF-8 data, and everything will work properly?