3

Possible Duplicates:
Htmlentities vs addslashes vs mysqli_real_escape_string
When to use which string escaping method?

Hi, I get very confused when to use addslashes and when to use htmlentities.

can you please tell me a example where in i should use addslashes and when to use htmlentities.

Community
  • 1
  • 1
Hacker
  • 7,798
  • 19
  • 84
  • 154

2 Answers2

5

  • Never use addslashes.

  • Also never use htmlentities()*

  • Use htmlspecialchars() when outputting untrusted content in the context of a HTML page.

In general, there is usually one correct method of escaping/sanitizing your data, depending on what you want to do with it. If you tell us more about what you are trying to do, somebody will be able to point you into the right direction.

* = unless you need it, which is usually never. htmlentities() turns many more characters than necessary into their respective HTML entities, which has become largely superfluous in the days of UTF-8. For security, the range of characters covered by htmlspecialchars() is enough.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Almost word for word what I was about to type. +1 (Although I'd say to only use `htmlentities` when outputting to an environment where you can't control the character encoding http headers. `htmlspecialchars` is usually a better choice) – Quentin May 04 '11 at 10:38
  • Good choice wikifying this one Pekka :) You answer leaves much to debate and doesn't explain anything to OP. I seem to remember a recent debate about how htmlentities should never be used when htmlspecialchars is available. Should be noted that OP most likely needs a means of escaping data, which is why he's asking about addslashes. Maybe telling him how to escape without addslashes would help. – Wesley Murch May 04 '11 at 10:38
  • 1
    @Wesley yeah, I already fixed the `entities()` thing. (I wikified it because it's such a blatant duplicate, not out of fear of downvotes) @David yeah, fixed to recommend htmlspecialchars(). – Pekka May 04 '11 at 10:40
  • @pekka - so you mean to say that while outputting data i must use htmlentities/ htmlspecialchars. and i should use addslashes when making data safe for DB rite ..... does addslashes have no part to play in front end ??? – Hacker May 04 '11 at 11:17
  • @pradeep never use addslashes to make data safe for the database: Always use the sanitation method offered by your database library (like `mysql_real_escape_string()`), or parametrized queries. To output data in a text box, `htmlspecialchars()` is enough. – Pekka May 04 '11 at 11:21
  • @pekka - so i am confused when should i use addslashes function ideally – Hacker May 04 '11 at 11:23
  • @pradeep only in very specialized cases like when injecting JavaScript code into a HTML tag's `onclick=""` event for example. Quotes inside the JavaScript code need to be escaped so they don't break the HTML. Never use it to sanitize data for the database. – Pekka May 04 '11 at 11:24
2

It's slightly confusing, I agree. But, let's see if we can help :)

htmlentities makes data safe for outputting into an HTML document. The PHP manual says.

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

But keep in mind that using htmlentities() in an UTF-8 encoded document should be avoided at all costs! There are always problems, see http://www.phpwact.org/php/i18n/charsets#common_problem_areas_with_utf-8

addslashes makes data safe for a few other situations, but if your database has its own then use that, for MySQL (mysql_real_escape_string is needed there)

James
  • 5,137
  • 5
  • 40
  • 80
  • Bound parameters are a much better option than `mysql_real_escape_string` – Quentin May 04 '11 at 10:40
  • so you mean to say that while outputting data i must use htmlentities/ htmlspecialchars. and i should use addslashes when making data safe for DB rite ..... does addslashes have no part to play in front end ??? – Hacker May 04 '11 at 11:17
  • I've never really used `addslashes` on front end things, so I wouldn't worry too much. – James May 04 '11 at 15:00