LanceT Posted April 16, 2007 Share Posted April 16, 2007 Do you think using the htmlspecialchars function makes user input safe for the mysql database? If not, what other exploits are there? Do I really need to add more to make my user input secure? Link to comment https://forums.phpfreaks.com/topic/47193-htmlspecialchars-makes-stuff-safe/ Share on other sites More sharing options...
marcus Posted April 16, 2007 Share Posted April 16, 2007 htmlspecialchars will replace certain characters into their ASCII form. For example: A < will be replaced as < A > will be replaced as > The safest way (in my opinion) would to use mysql_real_escape_string() before you enter information into your database. Link to comment https://forums.phpfreaks.com/topic/47193-htmlspecialchars-makes-stuff-safe/#findComment-230131 Share on other sites More sharing options...
Hughesy1986 Posted April 16, 2007 Share Posted April 16, 2007 If you are just looking to remove the html then strip_tags is the best option as you can allow certain tags aswell. <?php $var = "<script type='text/javascript'>window.location(http://www.ebay.co.uk)</script><b>Hi</b>"; $var = strip_tags($var, '<b>'); echo $var; ?> Link to comment https://forums.phpfreaks.com/topic/47193-htmlspecialchars-makes-stuff-safe/#findComment-230136 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.