-4

Im simply passing user data into an SQL database and collecting the data for admin view only, i am usin mysql_real_escape_string() to escape the data, I was told today that htmlentities is better to use, i have always heard the opposite. could do go a little more in depth on this with me. Also as a sid enote, if someone could provide a really good tutorial for PDO that would be wonderful

You Me
  • 59
  • 10
  • This has been asked before. I would suggest reading this: [Here][1] [1]: http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-inje/110576#110576 – Ian Brindley Jan 12 '13 at 18:42
  • 1
    This isn't a question, it's a request for someone to do your work for you. Look into the two functions, and why you shouldn't be using either of them for escaping data for your database. Then, search this site and many others - You'll find plenty of PDO tutorials. – nickb Jan 12 '13 at 18:43
  • [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/). – DCoder Jan 12 '13 at 18:47

2 Answers2

1

The two do entirely different things. One escapes data for putting into a SQL statement (which is a bad in general: see http://bobby-tables.com) and the other escapes data for putting into an HTML document. You're basically asking "Should I use a spoon or a fork?"

Andy Lester
  • 91,102
  • 13
  • 100
  • 152
  • so htmlentities is basically the php verision of the 
     tag?
     – You Me Jan 12 '13 at 18:47
  • @YouMe **NO**. Pre tag does not convert anything. But PHP converts the text – Shiplu Mokaddim Jan 12 '13 at 18:55
  • @shiplu.mokadd.im I guess im still confused, doe htmlentities sanitize use input in ANY way before it goes into the database, or is it used after the information is pulled from the database – You Me Jan 12 '13 at 18:57
  • msyql escape string escapes sql meta characters. and htmlentities escapes html meta characters. – Shiplu Mokaddim Jan 12 '13 at 19:04
  • @YouMe: The documentation for htmlentities is here at this page: http://php.net/manual/en/function.htmlentities.php Is there something on the page there that is unclear? htmlentities has *nothing* to do with SQL. – Andy Lester Jan 12 '13 at 20:45
0

htmlentities will not strip quotes so I would suggest not using this.

Ian Brindley
  • 2,197
  • 1
  • 19
  • 28