-4

Why do many people use htmlentities & ENT_QUOTES? The following code is a sample from one of the most viewed SQLI/PHP CRUD who teaches people. What is he trying to do? What is the purpose? Is it something worth studying for an hour or two? 

$firstname = htmlentities($_POST['firstname'], ENT_QUOTES);
$lastname = htmlentities($_POST['lastname'], ENT_QUOTES);
if ($stmt = $mysqli->prepare("UPDATE players SET firstname = ?, lastname = ?
WHERE id=?"))
{
$stmt->bind_param("ssi", $firstname, $lastname, $id);
$stmt->execute();
$stmt->close();
}
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
user9449525
  • 13
  • 5
  • why ask us? why not ask who ever wrote the code? –  Mar 07 '18 at 01:56
  • 1
    why do you think that htmlentities stuff belongs to sql injection? – Your Common Sense Mar 07 '18 at 04:40
  • his code has been up from many years ago. not sure how I would contact him and if I did would he even respond? why ask who to ask? why not ask you? isn't that the point. – user9449525 Mar 07 '18 at 04:47
  • I have seen an article with someone stating how the end quotes is used for security. – user9449525 Mar 07 '18 at 04:48
  • security is not limited to SQL injection. why do you think that htmlentities stuff belongs to sql injection? – Your Common Sense Mar 07 '18 at 04:53
  • ok,. so thats my question.. how does it make it secure? Because He used htmlentities with a prepared statement. When I myself have NEVER used on with a prepared statement before. And rarely see them I would say 5% of the time. – user9449525 Mar 07 '18 at 06:25
  • when did i ever say I thought it was? I didnt. I was just stating the fact he used it with a prepare. – user9449525 Mar 07 '18 at 06:26

1 Answers1

2

Why do many people use htmlentities & ENT_QUOTES?

To answer that question, I am providing you with a detailed explanation as to why htmlentities() with the ENT_QUOTES flag was used and should be used for a particular case such as this one.

Should there be a character such as ' with a string value of "O'Neil" which in HTML source will reveal O'Neil (something you should always do before doing anything) when using htmlentities() with the ENT_QUOTES flag, the unicode apostrophe will be inserted in the database, rather than O'Neil without it, would not give the desired result.

Using htmlentities() with the ENT_QUOTES flag, ensures that the quote be entered in the database.

Using a prepared statement with this won't make a difference; it will still be entered as O'Neil if htmlentities() with the ENT_QUOTES flag is not used.

That is why they used that. The source you got this from is unknown, so I can't put words in their mouth, but that is what that function is for.

I answered a similar question below, which you can consult further if you wish:

"Ok. well based on these comments it looks like htmlentities it not something really I need to worry about."

The above was pulled from a comment in another answer.

That said, it would probably be best to keep it since:

  1. It won't do any harm
  2. Should you get someone whose keyboard language uses unicode characters, then you're back to "square one" and you'll get unicodes entered, rather than the intended value(s).

That decision is yours.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141