Is mysql_real_escape_string(htmlspecialchars()) really useful ? why?

Question

Is it really usefull to have something like :

$passe = mysql_real_escape_string(htmlspecialchars($_POST['passe']));

why do we use this? how to optimize it ?

Thank you

<?php
mysql_connect("localhost", "root", "");
mysql_select_db("nom_db");

$passe = mysql_real_escape_string(htmlspecialchars($_POST['passe']));
$passe2 = mysql_real_escape_string(htmlspecialchars($_POST['passe2']));
if($passe == $passe2)
{
    script here
}

else
{
    echo 'Your password is wrong';
}
?>

In the code you show, both functions are completely unnecessary. I suspect that that's not the only place where those variables are used, is it? Can you show a more verbose example? — Pekka, Aug 23 '11 at 09:14
This may be relevant: [The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/). — deceze, Aug 23 '11 at 09:17
@Pekka : I had a doubt about it, it was not logical for me. http://pastebin.com/rJbWmm7m — Zeroth, Aug 23 '11 at 09:23
Also see http://stackoverflow.com/questions/110575/do-htmlspecialchars-and-mysql-real-escape-string-keep-my-php-code-safe-from-injec — Cheekysoft, Aug 24 '11 at 11:12

score 6 · Answer 1 · answered Aug 23 '11 at 09:16

In that code example, it isn't useful at all.

htmlspecialchars converts characters with special meaning in HTML into entities. That is essential if you have some text that you want to insert into an HTML document (as it stops, for instance, characters such as < being treated as the start of tags, and protects against XSS).

mysql_real_escape_string converts characters with special meaning in MySQL SQL queries into escapes. This allows you to insert arbitrary strings into a MySQL database safely (protecting against errors and injection. There are, however, better ways to do the same thing.

In this case, you are just comparing two strings. Running them through a bunch of conversions isn't going to do anything useful.

Good answer. Using both functions is not just pointless, it can be even harmful. Double escaping can make it impossible to give out a correct output later. Escaping should be done as late as possible, and only for the given target system. — martinstoeckli, Sep 25 '12 at 12:15

score 1 · Answer 2 · answered Aug 23 '11 at 09:18

You should only use mysql_real_escape_string($var) when passing untrusted variables in to a database query like so:

$query = mysql_query("SELECT * FROM `foo` WHERE `bar` = '".mysql_real_escape_string($_POST['username'])."'");

It is important to do this to protect against SQL injection attacks.

As for htmlspecialchars(), this should be used when outputting untrusted variables to page, it will strip out any HTML to prevent an variable outputting unwanted or dangerous HTML on top a page (javascript for example).

In your example, you need neither functions as you are just comparing them and are not putting them in a database or on a webpage.

sanmai · Answer 3 · 2011-08-24T01:29:02.747

0

Using htmlspecialchars() like you is pointless, because for strings:

mysql_real_escape_string(htmlspecialchars($_POST['passe'])) == 
    mysql_real_escape_string(htmlspecialchars($_POST['passe2']));

Is as equal as:

$_POST['passe'] == $_POST['passe2']

edited Aug 24 '11 at 01:29

answered Aug 23 '11 at 09:17

sanmai

29,083
12
64
76

Its true yeah, i didn't think about it – Zeroth Aug 23 '11 at 09:20
@sanmai, this is not exactly true - for example if $_POST['passe'] is array and $_POST['passe2'] is empty string,NULL or different array, then $_POST['passe'] == $_POST['passe2'] will return false and mysql_real_escape_string(htmlspecialchars($_POST['passe'])) == mysql_real_escape_string(htmlspecialchars($_POST['passe2'])) will return true(with warning, but it will), but I agree that it is pointless. – XzKto Aug 23 '11 at 09:37

score 0 · Answer 4 · answered Aug 23 '11 at 10:07

0

Using Of htmlspecialchars keep you protected from xss but there is bypass method if you will add this word to url

like

` link name ' ;

bypass will use javascript onmouseout onhover else That require magic_qutoes off

addslashes & mysql_real_escape_string protect from sql injection

by ignore the ' or " quotes

but the good way to remove this words after make it in lowercase

mean $username = strtolower($_GET['ser']); if(preg_match("(select|and|or|union|into|from|information|schema|.user|concat|group)\", $username)){ die("Error : Hacking Attemp "); }

answered Aug 23 '11 at 10:07

SamarLover

182
10

Hi SamarLover, what exactly do strolower()? Do we have to combine addslashes() & mysql_real_escape_string() with strtolower()? – Zeroth Aug 23 '11 at 11:24
Hello Zeroth , strtolower will make all work in small letters , and you can use only one from addslashes and mysql_real_escape_string but strtolower you should use it if you will use your own function beacuse when you check the input like ( Union Select etc) and you told your function to remove union and select it will not remove the injection words because its not the same letters , or use php Regx – SamarLover Aug 27 '11 at 08:49

score 0 · Answer 5 · answered Aug 23 '11 at 10:40

0

Your full code in the pastebin shows that the variables are used later for a database query.

mysql_query("INSERT INTO validation VALUES('', '$pseudo', '$passe', '$email')");

mysql_real_escape_string() is a must here; htmlspecialchars isn't, for the reasons @Quentin explained so well above.

Use htmlspecialchars later in the output if anything of what you insert gets output on a HTML page.

answered Aug 23 '11 at 10:40

Pekka

442,112
142
972
1,088

NICE, what's happen now if i have a form who allow people to write a text. do i use a textarea ? and which protectino i have to setup ? - protect html - protect jvascript ? – Zeroth Aug 23 '11 at 11:29

Is mysql_real_escape_string(htmlspecialchars()) really useful ? why?

5 Answers5