Click here to Skip to main content
15,881,882 members
Search within:


Should I use htmlspecialchars and mysql_real_escape_string both
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
HTML
PHP
I have let the user to give some information. (name, date of birth etc). then I have to put these values to database. Should I use mysql_real_escape_string to prevent the mysql injection and htmlspecialchars to handle the html tags both or one of them can do the work?

If I should use one of them, then which one?
If I should use both then which one first and which one last?
Posted
Add a Solution

3 solutions

You can user htmlspecialchars if you are expecting the user to enter certain characters that need to be translated else it wouldn't be necessary.

But you can use both it will be to your advantage.

use htmlspecialchars first followed by mysql_real_escape_string
 
Share this answer
 
Posted
Use mysql_real_escape_string when you are inserting into or updating a MySQL database.

Use htmlspecialchars when you are going to display something on an HTML page.

Using them like this means that you will store the input in the database as entered, but you can then use a different escape function depending on how you are going to display the data (HTML, LaTeX, plain text, etc.)
 
Share this answer
 
Posted
Comments
Graham Breach 5-Jul-11 7:19am    
I've just noticed the question was posted in april... I hope it wasn't urgent...
I would recommend you use htmlspecialchars when the input from the user is expected to have special html characters such as the <, &, > signs, or any other characters that have special meaning in html. However, if you only expect your users to process only text, then it might not be a requirement.

On the other hand, mysql_real_escape_string is necessary to control what the users are storing in the database and to prevent sql injection. mysql_real_escape_string ensures that whatever the user enters is processed first before it is stored in the database and characters with special meaning to the sql engine is properly escaped.

If you plan to use both, please use the htmlspecialchars first, and then the mysql_real_escape_string follows, and not vice-versa.
 
Share this answer
 
Posted
Comments
Zoltán Zörgő 17-Oct-12 16:16pm    
You are really kind to the OP, but have you noticed, that this is a question more than one and half year old? Please do not "up" questions inactive for so log. It is quite possible, that the OP got what he/she wanted, or simply abandoned the question...
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
SQL Query problem using mysql_real_escape_string() function
Fatal error:uncaught error:call to undefined mysql_real_escape_string()
HOW to SOLVE: uncaught error: call to undefined function mysql_real_escape_string()
Fatal error: uncaught error: call to undefined function mysql_real_escape_string()
Fatal error: uncaught error: call to undefined function mysql_real_escape_string()
How to fix fatal error: uncaught error: call to undefined function mysql_real_escape_string() in C:\wamp64\www\DMS\procces.php on line 11 error..?
How do I prevent refreshing the page using javascript and PHP?
I want to use your experience
How do I fix notice: undefined variable: error in C:\xampp\htdocs\new.php on line
add backslash in mysql using c#

Advertise
Privacy
Cookies
Terms of Use
Last Updated 17 Oct 2012
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900