0

I'm trying to sanitize user input in PHP for saving data in a query. The problem are special chars like ' or ".

I tried with htmlspecialchars(), addslashes() and mysql_real_escape_string() but they aren't working. What's the best and fast way to do it?

scrowler
  • 24,273
  • 9
  • 60
  • 92
Andrea Martinelli
  • 322
  • 3
  • 11
  • Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Charlotte Dunois Nov 13 '16 at 22:10
  • That's not really for SQL injection but only to save special char of a textarea – Andrea Martinelli Nov 13 '16 at 22:12
  • Please edit your question instead of adding comments, so that everything is in one place. Can you explain more clearly what you want to do? First you say "sanitize input", which I read as removing special characters, then your comment says you to save special characters. – Robert Nov 13 '16 at 23:47

1 Answers1

1

You can use APEX_ESCAPE package to "sanitize" your data. Try the below

select apex_escape.html_whitelist('<h1>Hello<script>alert("XSS");</script></h1>') from dual;
Uday Shankar
  • 438
  • 1
  • 3
  • 16