htmlentities and mysql_real_escape_string

Asked Aug 16 '12 at 08:58

Active Aug 16 '12 at 08:58

Viewed 69 times

Possible Duplicate:
Is htmlentities() and mysql_real_escape_string() enough for cleaning user input in PHP?

In my site for the sql injecion i used mysql_real_escape_string but now suppose someone wants to enter PHP code in the forum so ised htmlentities function. my code is as below :

$not_con =mysql_real_escape_string(htmlentities($_POST['note']));

than i update sql db like

  mysql_query("UPDATE forumtopic set forumDescri='$not_con' WHERE forum_id=$f_id");

Now when i entered simple PHP code in textbox like <?php echo "hi" ?> than no proble its inserted into database succesfully.but When i enter <?php session_start(); echo "hi" ?> it gives error like FORBIDDEN you dont have permission 404 error.help me in this

edited May 23 '17 at 11:48

Community

asked Aug 16 '12 at 08:58

Mehuldabhi

1

don't use `htmlentities` when you save into db, use it only when you display stuff. – Andreas Wong Aug 16 '12 at 09:00
but when session_start(); is in text then its not inserting into db...it give `Forbidden You don't have permission to access /forums/add_forum.php on this server.` – Mehuldabhi Aug 16 '12 at 09:08
please give me solution. – Mehuldabhi Aug 16 '12 at 09:21
For your access error I think you can change right on the file add_forum.php to 644 because apache is probably running with a different user. – Alexandre Lavoie Aug 16 '12 at 11:22

htmlentities and mysql_real_escape_string

0 Answers0