galvin Posted May 18, 2009 Share Posted May 18, 2009 What is the best (i.e. safest) function to use on text submitted by a user via a form, to prevent them from doing something malicious on my server? Is htmlentities the best? Or something else? Or is my question too vague? Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/ Share on other sites More sharing options...
Ken2k7 Posted May 18, 2009 Share Posted May 18, 2009 mysql_real_escape_string Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836577 Share on other sites More sharing options...
galvin Posted May 18, 2009 Author Share Posted May 18, 2009 Cool, thanks Ken! Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836578 Share on other sites More sharing options...
Daniel0 Posted May 18, 2009 Share Posted May 18, 2009 It kind of depends on the context in which you are using that data. Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836581 Share on other sites More sharing options...
galvin Posted May 18, 2009 Author Share Posted May 18, 2009 Any chance you can give me a very basic example of differing contexts and a brief explanation of why one is better in one scenario and the other is better in the other scenario?. Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836658 Share on other sites More sharing options...
Ken2k7 Posted May 18, 2009 Share Posted May 18, 2009 Well the function I gave you prevents SQL injection. If you're just going to parse some values, then you probably don't need that function. It depends what you want to do and what kind of data you're getting. Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836663 Share on other sites More sharing options...
Daniel0 Posted May 18, 2009 Share Posted May 18, 2009 Any chance you can give me a very basic example of differing contexts and a brief explanation of why one is better in one scenario and the other is better in the other scenario?. escapeshellarg escapeshellcmd htmlentities mysql_real_escape_string Prepared statements (PDO) Prepared statements (MySQLi) mysqli_real_escape_string db2_escape_string sqlite_escape_string I'm sure you can add on to the list yourself... Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836692 Share on other sites More sharing options...
galvin Posted May 18, 2009 Author Share Posted May 18, 2009 Yikes, didn't realize there were so many. Time to start reading, thanks! Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836693 Share on other sites More sharing options...
cringe Posted May 18, 2009 Share Posted May 18, 2009 Yikes, didn't realize there were so many. Time to start reading, thanks! Use strip_tags too. http://us.php.net/manual/en/function.strip-tags.php . Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836772 Share on other sites More sharing options...
Daniel0 Posted May 18, 2009 Share Posted May 18, 2009 That sort of depends on what you want to do. Imagine if SMF decided to use strip_tags() instead of htmlentities(). That would make it impossible to post HTML, which would be quite a problem for a webdev forum like PHP Freaks. Quote Link to comment https://forums.phpfreaks.com/topic/158621-solved-is-html-entities-the-best-safety-measure/#findComment-836775 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.