urlencode() to prevent mysql_injection?

[wanner]

Hi,

 

I have a textarea, and I want to escape the data before it is stored in the database to prevent mysql injections. First i thought to use mysql_real_escape_string(). However this causes problems in some cases when the data is to be displayed. So my question is if it is safe to use urlencode() to prevent from mysql_injections? It would be great if it is since i can then simply urldecode() before displaying the data.

 

Thanks!

[thebadbad]

Use mysql_real_escape_string() when inserting the data to prevent injections, and then htmlentities() (or htmlspecialchars() with ENT_QUOTES as the second parameter) when displaying the data. You shouldn't alter the data when inserting it into the database.

 

However this causes problems in some cases when the data is to be displayed.

 

What kind of problems?

[wanner]

What kind of problems?

 

My problem is that I use mysql_real_escape_string to escape the data before inserting it into the database. Then when i want to display the data newlines and enters gets replaced with \n and \r etc.

[thebadbad]

But \n and \r are newlines/enters (newline and carriage return to be exact)? mysql_real_escape_string() has no influence on that whatsoever. You probably want to use nl2br() (and don't forget htmlentities()) when displaying the data, so <br /> is inserted before all newlines in the string, resulting in visible line breaks in a browser.