New Here
,
Stupid question but what's the difference between
htmlentities & mysql_real_escape_string; they both seem to be
designed against hackers keying in html instructions into forms so
they 'escape' problem strings (primarily the apostrophe it seems)
and I know that you use mysql_real_escape_string before writing to
a db and htmlentities before re-display user in put on a screen but
why is this separateion necessary - why can't it just be one
function?
Playing around I can see that if I enter <p echo 'me' /p>, MRES gives me <p echo \'me\' /p> (with magic quotes slashes striped), and htmlentities give me Null so there is clearly a dfference but I don't understand why - can anyone explain in simple words for a simple brain?
Also does this mean that when validating prior to writing to a db I validate an htmlentities version of the input but then write a MRES version to the db? In the example above I would be validating a null string and if it was not a mandatory field I would end up writing a line of code (albeit escaped) to my db?
Thanks.
Playing around I can see that if I enter <p echo 'me' /p>, MRES gives me <p echo \'me\' /p> (with magic quotes slashes striped), and htmlentities give me Null so there is clearly a dfference but I don't understand why - can anyone explain in simple words for a simple brain?
Also does this mean that when validating prior to writing to a db I validate an htmlentities version of the input but then write a MRES version to the db? In the example above I would be validating a null string and if it was not a mandatory field I would end up writing a line of code (albeit escaped) to my db?
Thanks.
TOPICS
Server side applications
4
Replies
4
4
Replies
LEGEND
,
.oO(patricktr)
>Stupid question but what's the difference between htmlentities &
>mysql_real_escape_string;
RTFM?
>they both seem to be designed against hackers keying
>in html instructions into forms so they 'escape' problem strings
They are _not_ meant as a protection against hacking.
mysql_real_escape_string() escapes characters, that have a special
meaning in SQL and could break a query. As a side effect it also helps
to prevent SQL injection, but this is not its main purpose.
htmlentities() and htmlspecialchars() (the latter is enough if you use
UTF-8) on the other hand escape chars that have a special meaning in
HTML and might break your markup. As a side effect they also help to
prevent XSS attacks, but again - this is not their main purpose.
>(primarily the
>apostrophe it seems) and I know that you use mysql_real_escape_string before
>writing to a db and htmlentities before re-display user in put on a screen but
>why is this separateion necessary - why can't it just be one function?
They're designed for totally different targets and used in totally
different places.
> Playing around I can see that if I enter <p echo 'me' /p>, MRES gives me <p
>echo \'me\' /p> (with magic quotes slashes striped), and htmlentities give me
>Null
Huh? With htmlentities() you should get the same string with at least <
and > replaced by character references.
>so there is clearly a dfference but I don't understand why - can anyone
>explain in simple words for a simple brain?
>
> Also does this mean that when validating prior to writing to a db I validate
>an htmlentities version of the input but then write a MRES version to the db?
>In the example above I would be validating a null string and if it was not a
>mandatory field I would end up writing a line of code (albeit escaped) to my
>db?
> Thanks.
Me too, because I don't really get this last part ... anyway, time for
bed now.
Micha
>Stupid question but what's the difference between htmlentities &
>mysql_real_escape_string;
RTFM?
>they both seem to be designed against hackers keying
>in html instructions into forms so they 'escape' problem strings
They are _not_ meant as a protection against hacking.
mysql_real_escape_string() escapes characters, that have a special
meaning in SQL and could break a query. As a side effect it also helps
to prevent SQL injection, but this is not its main purpose.
htmlentities() and htmlspecialchars() (the latter is enough if you use
UTF-8) on the other hand escape chars that have a special meaning in
HTML and might break your markup. As a side effect they also help to
prevent XSS attacks, but again - this is not their main purpose.
>(primarily the
>apostrophe it seems) and I know that you use mysql_real_escape_string before
>writing to a db and htmlentities before re-display user in put on a screen but
>why is this separateion necessary - why can't it just be one function?
They're designed for totally different targets and used in totally
different places.
> Playing around I can see that if I enter <p echo 'me' /p>, MRES gives me <p
>echo \'me\' /p> (with magic quotes slashes striped), and htmlentities give me
>Null
Huh? With htmlentities() you should get the same string with at least <
and > replaced by character references.
>so there is clearly a dfference but I don't understand why - can anyone
>explain in simple words for a simple brain?
>
> Also does this mean that when validating prior to writing to a db I validate
>an htmlentities version of the input but then write a MRES version to the db?
>In the example above I would be validating a null string and if it was not a
>mandatory field I would end up writing a line of code (albeit escaped) to my
>db?
> Thanks.
Me too, because I don't really get this last part ... anyway, time for
bed now.
Micha
AdChoices