Jump to content

[SOLVED] When should I use striptags mysql escape and htmlentities?

pneudralics

By pneudralics
in PHP Coding Help

 Share

Recommended Posts

pneudralics Advanced Member

pneudralics

Posted
Posted

Seems like all these fall under some kind of security issue.. so should I just always use it on anything that's going to search/post the database? They all seem to be very similiar..replace/strip special characters.

 

Should I just do something like this to all my variables before sending them?

strip_tags(htmlentities(mysql_real_escape_string($imhackerfree)));

premiso Regular Member

premiso

Posted
Posted

It all depends on the content.  Some times you want the HTML to be displayed (A blog for instance or a forum that allows html). Some times you expect a number, if you do check that it is a number if not do not allow it.

 

There is not a "catch" all for it as different items require different needs. But how you are using the functions is the wrong order either way:

 

mysql_real_escape_string(htmlentities(strip_tags($imhackerfree)));

 

Would be the way to do it. But think about the data you should get. If the field is to be strictly a name, then yes, the above is perfect. It is to be a post that you do not want any html in at all, then yes. If you want to allow html in that field, no, the above would not suffice.

pneudralics Advanced Member

pneudralics

Posted
  • Author
Posted

It all depends on the content.  Some times you want the HTML to be displayed (A blog for instance or a forum that allows html). Some times you expect a number, if you do check that it is a number if not do not allow it.

 

There is not a "catch" all for it as different items require different needs. But how you are using the functions is the wrong order either way:

 

mysql_real_escape_string(htmlentities(strip_tags($imhackerfree)));

 

Would be the way to do it. But think about the data you should get. If the field is to be strictly a name, then yes, the above is perfect. It is to be a post that you do not want any html in at all, then yes. If you want to allow html in that field, no, the above would not suffice.

 

You mentioned that my order is wrong. Where is it that I can find what order it goes? Just for future reference.

premiso Regular Member

premiso

Posted
Posted

You mentioned that my order is wrong. Where is it that I can find what order it goes? Just for future reference.

 

Just having a knowledge of what the functions do.

 

How you had it, first you were escaping, that is probably fine but might cause some fuss with htmlentities. So it is better to put that after the entities. You want to strip html tags, but you had that last. Wouldn't using htmlentities before strip_tags defeat the purpose of using strip_tags? As that converts anything that might be interpreted by HTML to readable format?

 

So if you want to remove HTML tags you first, strip_tags. Then if you want to convert items to their html entity you would then use that. Finally if there is anything left that MySQL may fuss about you would escape the string.

 

Just like basic math, order of operations. It is often wise to understand what a function does before you use it, so you avoid issues like the above. Whether it would have cause an issue, I am not sure. But it was more or less redundant as strip_tags would of had no effect if used after calling htmlentities.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.