Tuesday, August 20, 2013

mysql_real_escape_string and htmlspecialchars in PHP

  prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

htmlspecialchars performed translations:
  • '&' (ampersand) becomes '&'
  • '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
  • "'" (single quote) becomes ''' (or ') only when ENT_QUOTES is set.
  • '<' (less than) becomes '&lt;'
  • '>' (greater than) becomes '&gt;'  
Should we use mysql_real_escape_string(htmlspecialchars( $value )) to prevent sql injection?

To prevent mysql injection, mysql_real_escape_string is enough. It is better to preserve the original data not using htmlspecialchars. But when we extract the data from mysql database and present them in HTML file, we need to  add  htmlspecialchars.

No comments:

Post a Comment