PHP: Difference between htmlspecialchars and mysql_real_escape_string
Question by Guest | 2014-06-10 at 06:05
At the moment I do not have a clue what actually is the difference between the two PHP functions htmlspecialchars and mysql_real_escape_string and in which case you should use one or the other. Somehow, it seems to me that both functions are nearly the same.
Related Topics
HTML Form: Redirection depending on Radiobutton or Checkbox State
Tutorial | 0 Comments
PHP: Current Date and Time
Tutorial | 0 Comments
Send Form Input as an Array to PHP Script
Tip | 0 Comments
PHP: Upload of large Files
Tutorial | 0 Comments
PHP: Sending an E-Mail
Tutorial | 0 Comments
jQuery: Send HTML5 Canvas to Server via Ajax
Tutorial | 0 Comments
Important Note
Please note: The contributions published on askingbox.com are contributions of users and should not substitute professional advice. They are not verified by independents and do not necessarily reflect the opinion of askingbox.com. Learn more.
Participate
Ask your own question or write your own article on askingbox.com. That’s how it’s done.
If you want to output a string like "<p>ABC</p>", normally, the "<p>" and "</p>" will not become visible, because the characters are interpreted as HTML. If you nevertheless would like to output such a string, you can use htmlspecialchars for this. This function ensures that all special characters such as &, ", ', < and > will be converted into HTML code, that is & " ' < and >. In other words, you should use htmlspecialchars for outputting strings containing HTML characters.
If you allow your users to input something on your website and if you are creating a MySQL query out of the input, it is possible that a user is submitting own SQL commands (SQL-Injection). The function mysql_real_escape_string prevents this by writing a backslash \ in front of the characters \x00, \n, \r, \, ', " and \x1a. So, you should always use mysql_real_escape_string before sending probably insecure data to MySQL.
2014-06-10 at 12:10