What is safer, mysql anti-sqli + xss solution

Question

is this code safe?

$name = htmlspecialchars($mysqli->real_escape_string($_POST["name"]), ENT_QUOTES,"UTF-8");

or should i use this

$name = $mysqli->real_escape_string(htmlspecialchars($_POST["name"], ENT_QUOTES,"UTF-8"));

or it doesn't matter? Thx

[The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) — deceze, Aug 05 '13 at 13:02

score 1 · Accepted Answer · edited May 23 '17 at 11:50

1

Neither.

Protect your database from SQL injection when making queries. Where possible, do it with parameterized queries instead of manual escaping.

Protect your HTML from XSS when you generate your HTML. i.e. apply htmlspecialchars to the data you get out of the database, not the data you put into it.

edited May 23 '17 at 11:50

Community

1
1

answered Aug 05 '13 at 13:02

Quentin

914,110
126
1,211
1,335

Oh, ok, so the page could get hacked when i use $mysqli->real_escape_string( ? Because i tried putting ' etc to the field that gets sent to database and it was working all right. – user2653217 Aug 05 '13 at 13:09

What is safer, mysql anti-sqli + xss solution

1 Answers1