htmlentities vs mysql_real_escape_string

.oO(patricktr)

>Guys - appreciate it.
> RTFM - well yes ... the php manual has, I'm sure, references to everything
>I'll ever want to know about php but it is not always expressed in a way that
>is readily graspable by those not steeped in the technical tradition.

OK.

>I am
>using a few different books but there is always a certain degree of prior
>knowledge assumed and that can lead to confusion - but please bear with me ?
>the idiotic questions have got to dry up soon ? haven?t they? See my latest
>post.

;-)

No problem. The RTFM wasn't meant rude.

Micha

Guys - appreciate it.
RTFM - well yes ... the php manual has, I'm sure, references to everything I'll ever want to know about php but it is not always expressed in a way that is readily graspable by those not steeped in the technical tradition. I am using a few different books but there is always a certain degree of prior knowledge assumed and that can lead to confusion - but please bear with me – the idiotic questions have got to dry up soon … haven’t they? See my latest post.
P.

patricktr wrote:
> Stupid question but what's the difference between htmlentities &
> mysql_real_escape_string;

htmlentities() converts special characters to their HTML entities (such
as &, etc.

http://docs.php.net/manual/en/function.htmlentities.php

mysql_real_escape_string() escapes quotes and other control characters
in preparation for inserting content into a MySQL database.

http://docs.php.net/manual/en/function.mysql-real-escape-string.php

--
David Powers, Adobe Community Expert
Author, "The Essential Guide to Dreamweaver CS3" (friends of ED)
Author, "PHP Solutions" (friends of ED)
http://foundationphp.com/

.oO(patricktr)

>Stupid question but what's the difference between htmlentities &
>mysql_real_escape_string;

RTFM?

>they both seem to be designed against hackers keying
>in html instructions into forms so they 'escape' problem strings

They are _not_ meant as a protection against hacking.

mysql_real_escape_string() escapes characters, that have a special
meaning in SQL and could break a query. As a side effect it also helps
to prevent SQL injection, but this is not its main purpose.

htmlentities() and htmlspecialchars() (the latter is enough if you use
UTF-8) on the other hand escape chars that have a special meaning in
HTML and might break your markup. As a side effect they also help to
prevent XSS attacks, but again - this is not their main purpose.

>(primarily the
>apostrophe it seems) and I know that you use mysql_real_escape_string before
>writing to a db and htmlentities before re-display user in put on a screen but
>why is this separateion necessary - why can't it just be one function?

They're designed for totally different targets and used in totally
different places.

> Playing around I can see that if I enter <p echo 'me' /p>, MRES gives me <p
>echo \'me\' /p> (with magic quotes slashes striped), and htmlentities give me
>Null

Huh? With htmlentities() you should get the same string with at least <
and > replaced by character references.

>so there is clearly a dfference but I don't understand why - can anyone
>explain in simple words for a simple brain?
>
> Also does this mean that when validating prior to writing to a db I validate
>an htmlentities version of the input but then write a MRES version to the db?
>In the example above I would be validating a null string and if it was not a
>mandatory field I would end up writing a line of code (albeit escaped) to my
>db?
> Thanks.

Me too, because I don't really get this last part ... anyway, time for
bed now.

Micha