When to use the line erase method?

Question

When to use the line erase method?

Ok, so all these different string escaping functions like htmlentities() , mysql_real_escape_string() , addslashes()

But what should I use in what situation?
Resources and opinions, please :)

+4

security php

Joshwaa Apr 24 '11 at 13:58

source share

4 answers

Dan blows · Answer 1 · 2011-04-24T14:07:45+0000

addslashes () / stripslashes () goes back to a rather bad idea called "Magic Quotes", which has been deprecated since then. It automatically escaped special characters, and you could use addlashes () and stripslashes () to add or remove them. One of the problems was that you were never sure that the data currently has slashes or not, and thus you ended up putting unrelated data in SQL or having extra slashes on your web page.
htmlentities () is often used to display HTML on a page. If you try to write Something on an HTML page, you will see only Something (i.e. the Source text is in bold) - you will not see bright marks around it. Using htmlentities('Something') converts the code to Something so in the browser you see triangle brackets.
mysql_real_escape_string () is useful for protecting against MySQL injection attacks - it avoids unsafe characters in strings. He does not shun anything in other data types, and therefore they need to be processed separately. It also does not encode% and _, which are used as wildcards in some queries.

In short:

If you are coding to write to an HTML page, use htmlentities ()
If you are encoding a string to write to the database, use mymysql_real_escape_string ()
Never use addlashes ()

Your common sense · Answer 2 · 2011-04-24T14:17:10+0000

which should i use in what situation?

htmlentities (). never use it but htmlspecialchars() . To print untrusted user input into the browser.
mysql_real_escape_string is a mysql database specific function. here is an exhaustive guide that I wrote exactly on the topic of where to use it and where not, and what else you need to know about mysql database security.
addslashes (). it depends. most of the time you don’t need it at all

fingerman · Answer 3 · 2011-04-24T14:07:15+0000

when you insert data into mysql database use this:

 mysql_real_escape_string()

when you are going to display the content that the user has given you:

 htmlentities()

If your database does not have its own function in php, you can use: addslashes() , but it is not recommended to use it when you have something specific, which is better (mysql_real_escape_string ()).

see this for more information:

Htmlentities vs addslashes vs mysqli_real_escape_string

PS you should use mysqli_real_escape_string (), not mysql_real_escape_string ().

EDIT:

to really prevent attacks, this is good reading material: http://www.php.net/manual/en/security.database.sql-injection.php ...

You should also look at the prepared statements: http://www.php.net/manual/en/mysqli.prepare.php

A lot of information is also available here on stack overflows.

deceze · Answer 4 · 2011-04-24T14:06:42+0000

All variations on the same theme:

 $bar = "O'Reilly"; "foo = '$bar'"; // foo = 'O'Reilly' -> invalid syntax

Blindly concatenating strings together can lead to syntax violations if strings must follow special syntax. At best, this is an annoyance; at worst, a security issue. Equivalent values prevent these problems. General example:

 "foo = '" . escape($bar) . "'"; // foo = 'O\'Reilly'

All the various functions correctly escapes values for different syntaxes:

htmlentities for outputting output for HTML.
mysql_real_escape_string for escaping values for SQL queries.
addslashes ... not very good for anything, do not use.
json_encode for encoding / escaping / converting values for Javascript format.

When to use the line erase method?

More articles: