Escape again after value manipulation in PHP

Asked Jun 19 '17 at 14:47

Active Jun 19 '17 at 14:47

Viewed 21 times

Let's say i have this code:

$value = mysqli_real_escape_string($con, $_POST['value']);
$value = strip_tags($value, '<br>');

for example with this value: $_POST['value'] = "<div>how<br/> you doin'?</div>";.

Should I escape $value after changing its text value? It contains an apostrophe that can cause problems with the mysqli queries, or even a SQL Injection. Thanks!

asked Jun 19 '17 at 14:47

Itay Ganor

3,965
3
25
40

2

No. Your script would be at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jun 19 '17 at 14:49

Escape again after value manipulation in PHP

0 Answers0