Northern Flame Posted May 20, 2008 Share Posted May 20, 2008 I am using the function htmlentities() to protect my website from people trying to post html on my website, and also I added the ENT_QUOTES option to the function so that it converts double quotes to " and converts single quotes ' so is there a need for my to also use mysql_real_escape_string? I guess what Im asking is if mysql_real_escape_string() protects against more than single and double quotes. Quote Link to comment Share on other sites More sharing options...
DarkWater Posted May 21, 2008 Share Posted May 21, 2008 Yes, you should always use it. Quote Link to comment Share on other sites More sharing options...
AndyB Posted May 21, 2008 Share Posted May 21, 2008 Whether it should always be used or not, understanding what it does is helpful -> http://ca3.php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
DarkWater Posted May 21, 2008 Share Posted May 21, 2008 Okay, sorry, you don't need to use it if you're hashing something (like MD5ing a password) and inserting it or if you're inserting values that you know are clean. Any input that involves ANY user interaction must be escaped. Quote Link to comment Share on other sites More sharing options...
redarrow Posted May 21, 2008 Share Posted May 21, 2008 Sorry but that dont sound correct md5 no escapeing,what about if the user is posting a password and it converted to md5 before getting to the database............... example <?php //if a password comming from the form then i think your need to esape the md5... $password=mysql_real_escape_string(MD5($_POST['password'])); ?> Quote Link to comment Share on other sites More sharing options...
DyslexicDog Posted May 21, 2008 Share Posted May 21, 2008 Sorry but that dont sound correct md5 no escapeing,what about if the user is posting a password and it converted to md5 before getting to the database............... example <?php //if a password comming from the form then i think your need to esape the md5... $password=mysql_real_escape_string(MD5($_POST['password'])); ?> Why? MD5 only returns alphanumeric in my testing. If you MD5 a sql injection attempt, you're only going to get hashed alphanumeric string back. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.