mysql_real_escape_string and htmlentities

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

mysql_real_escape_string and htmlentities

Post by s.dot »

so I have this code

Code: Select all

$text = htmlentities($_POST['text'],ENT_QUOTES);
Is there a point in escaping that with mysql_real_escape_string?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I really don't know but I would just to be on the safe side.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

Depends on what you want to do with it.
Htmlentities is/should be used for escaping when you output a string as html.
Mysql_real_escape_string is/should be used for escaping data when you output it to a mysql database.
So those are 2 different things.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

well when inserting that into a database, all the quotes already look like ".... so there wouldn't be anything to escape?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

There could be however some other characters to escape. To be safe, always use mysql_real_escape_string() .. it's not like it really "hurts" anything.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

html entities and mysql_escape_string do 2 totally different things.

html entities would turn & into &

mysql_real_escape_string would turn ' into \' or " into \"

(might be / not sure but you need that in addition to html entities.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

agtlewis wrote:html entities and mysql_escape_string do 2 totally different things.

html entities would turn & into &

mysql_real_escape_string would turn ' into \' or " into "

(might be / not sure but you need that in addition to html entities.
htmlentities (given the proper paramerters) would also turn " into "
but feyd's right, I didn't think about escaping things besides quotes

I should've read the manually more carefully
PHP manual - mysql_real_escape_string wrote:mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

But besides what both do exactly, more important is what they are meant to do. In other words, in what situation you use which one. As I said before, mysql_real_escape_string when escaping for a db, htmlentities for escaping output to html. So you won't use both at the same time. The http://phpsec.org/php-security-guide.pdf explains it quite good.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

i don't have it confused.

I'm storing htmlentity'd text into the database =]
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

ok, no offence :) didn't know you wanted to do that.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

it's all good, i appreciate your input :-D
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Don't forget the htmlentities character encoding...;)
Post Reply