0

I have to say that it happens regularly to me that I tend to miss or use the wrong escaping of strings when for example handling html parameters (get, post) using them in php and sending them to mysql.

I am pretty sure that this happens not only to me but of course to many other people as well. And it's not only about functionality and bugs but it's a strong security issue as well.

While I write this I should be a little bit more aware of the problem but it might be very well possible that there are already quite advanced language concepts which are developed in order to avoid these mistakes in general.

So this is not a question about code but rather in general about how should programming of html/php/mysql be done so that these mistakes simply cannot occur as easy as they do right now.

NilsB
  • 1,154
  • 1
  • 16
  • 42
  • This isn't really much of an issue with prepared statements. [Here's](http://stackoverflow.com/a/60496) a good read to answer your question. – Dave Chen Jul 13 '15 at 05:24
  • The use of prepared statements is the way to go: The escaping is implicit and it helps you in preventing sql injection. See http://php.net/manual/en/book.mysqli.php for all the details – Norbert Jul 13 '15 at 05:25

1 Answers1

0

Yes there is a way. You can use htmlentities() to convert quotes in form of html.

Pratik Soni
  • 2,498
  • 16
  • 26