htmlspecialchars vs mysqli_real_escape_string

[mahenda]

which one is necessary while protecting form field

Edited July 28, 2019 by mahenda

[Barand]

Protecting a form field from what?

htmlspecialchars() is for use when outputting user-supplied data data to a web page.

mysql_real_escape string() is  was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data.

Edited July 28, 2019 by Barand

[Psycho]

18 hours ago, Barand said:

Protecting a form field from what?

htmlspecialchars() is for use when outputting user-supplied data data to a web page.

mysql_real_escape string() is  was used to protect input values to queries from SQL injection. This is now obsolete, replaced by mysqli_real_escape_string() or (better still) the use of prepared statements to completely separate the query code from the user-supplied data.

Agree. Although I would say there is a case where "protecting a form field" is directly related to "outputting user-supplied data". When populating a form field value (e.g. when editing a record) it would be appropriate to escape the content in the value parameter. Not sure if that is what the OP is asking about since what is being asked doesn't exactly make sense.

[mahenda]

I want to protect the database from being injected using both SQL injection and xss protection techniques so what is very useful.

[cyberRobot]

Perhaps the following will help:
https://phpsecurity.readthedocs.io/

There's a section on SQL injections and another on XSS attacks.

[gizmola]

The 2 things have nothing to do with each other, but I will say this about SQL Injections.  Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters.  Use parameters and bind the values. This eliminates the possibility of SQL Injections, because no interpolation is being done, and you also no longer have to care about escaping quotes or other characters special to SQL.  

https://www.php.net/htmlspecialchars is something you can use to combat XSS, or https://www.php.net/manual/en/filter.filters.sanitize.php.  

For XSS the best solution is to store the input in the DB as is, and then do your filtration/conversion when you are going to present the string on your site/within your application.

[mahenda]

$keyword = $_GET['search'];
$search = $con->prepare("SELECT * FROM members WHERE name LIKE :keywword");
$search->bindValue(':keyword', '%' . $keyword . '%', PDO::PARAM_STR);
$search->execute();
				

or 


$keyword = mysqli_real_escape_string($con, $_GET['search']);
........
which is better for securing search input

and why uri  is 

http://localhost/member_app/results?search=<script>alert('hi')<%2Fscript> after submission

[Barand]

5 minutes ago, mahenda said:

which is better for securing search input

That has already been answered in the previous post...

On 8/2/2019 at 10:31 AM, gizmola said:

Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters.

 

The query string has been automatically url_encoded prior to submission.

[mahenda]

19 minutes ago, Barand said:

That has already been answered in the previous post...

 

The query string has been automatically url_encoded prior to submission.

so it means this is secure

check what is happen when i'm trying searching

http://localhost/member_app/results?page=1&search=mahenda

i'm doubt with the number of page why is visible and how to hide them

Edited August 17, 2019 by mahenda

[Barand]

Don't use form method = GET if you don't want the values to be in the query string.