mahenda Posted July 28, 2019 Share Posted July 28, 2019 (edited) which one is necessary while protecting form field Edited July 28, 2019 by mahenda Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/ Share on other sites More sharing options...
Barand Posted July 28, 2019 Share Posted July 28, 2019 (edited) Protecting a form field from what? htmlspecialchars() is for use when outputting user-supplied data data to a web page. mysql_real_escape string() is was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data. Edited July 28, 2019 by Barand 2 Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1568779 Share on other sites More sharing options...
Psycho Posted July 29, 2019 Share Posted July 29, 2019 18 hours ago, Barand said: Protecting a form field from what? htmlspecialchars() is for use when outputting user-supplied data data to a web page. mysql_real_escape string() is was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data. Agree. Although I would say there is a case where "protecting a form field" is directly related to "outputting user-supplied data". When populating a form field value (e.g. when editing a record) it would be appropriate to escape the content in the value parameter. Not sure if that is what the OP is asking about since what is being asked doesn't exactly make sense. Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1568805 Share on other sites More sharing options...
mahenda Posted July 31, 2019 Author Share Posted July 31, 2019 I want to protect the database from being injected using both SQL injection and xss protection techniques so what is very useful. Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1568823 Share on other sites More sharing options...
cyberRobot Posted July 31, 2019 Share Posted July 31, 2019 Perhaps the following will help:https://phpsecurity.readthedocs.io/ There's a section on SQL injections and another on XSS attacks. Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1568824 Share on other sites More sharing options...
gizmola Posted August 2, 2019 Share Posted August 2, 2019 The 2 things have nothing to do with each other, but I will say this about SQL Injections. Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters. Use parameters and bind the values. This eliminates the possibility of SQL Injections, because no interpolation is being done, and you also no longer have to care about escaping quotes or other characters special to SQL. https://www.php.net/htmlspecialchars is something you can use to combat XSS, or https://www.php.net/manual/en/filter.filters.sanitize.php. For XSS the best solution is to store the input in the DB as is, and then do your filtration/conversion when you are going to present the string on your site/within your application. 1 Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1568841 Share on other sites More sharing options...
mahenda Posted August 17, 2019 Author Share Posted August 17, 2019 $keyword = $_GET['search']; $search = $con->prepare("SELECT * FROM members WHERE name LIKE :keywword"); $search->bindValue(':keyword', '%' . $keyword . '%', PDO::PARAM_STR); $search->execute(); or $keyword = mysqli_real_escape_string($con, $_GET['search']); ........ which is better for securing search input and why uri is http://localhost/member_app/results?search=<script>alert('hi')<%2Fscript> after submission Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1569048 Share on other sites More sharing options...
Barand Posted August 17, 2019 Share Posted August 17, 2019 5 minutes ago, mahenda said: which is better for securing search input That has already been answered in the previous post... On 8/2/2019 at 10:31 AM, gizmola said: Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters. The query string has been automatically url_encoded prior to submission. Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1569049 Share on other sites More sharing options...
mahenda Posted August 17, 2019 Author Share Posted August 17, 2019 (edited) 19 minutes ago, Barand said: That has already been answered in the previous post... The query string has been automatically url_encoded prior to submission. so it means this is secure check what is happen when i'm trying searching http://localhost/member_app/results?page=1&search=mahenda i'm doubt with the number of page why is visible and how to hide them Edited August 17, 2019 by mahenda Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1569050 Share on other sites More sharing options...
Barand Posted August 17, 2019 Share Posted August 17, 2019 Don't use form method = GET if you don't want the values to be in the query string. Quote Link to comment https://forums.phpfreaks.com/topic/309044-htmlspecialchars-vs-mysqli_real_escape_string/#findComment-1569052 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.