PHP: Difference between htmlspecialchars and mysql_real_escape_string

If you want to output a string like "<p>ABC</p>", normally, the "<p>" and "</p>" will not become visible, because the characters are interpreted as HTML. If you nevertheless would like to output such a string, you can use htmlspecialchars for this. This function ensures that all special characters such as &, ", ', < and > will be converted into HTML code, that is &amp; &quot; &#039; &lt; and &gt;. In other words, you should use htmlspecialchars for outputting strings containing HTML characters.

If you allow your users to input something on your website and if you are creating a MySQL query out of the input, it is possible that a user is submitting own SQL commands (SQL-Injection). The function mysql_real_escape_string prevents this by writing a backslash \ in front of the characters \x00, \n, \r, \, ', " and \x1a. So, you should always use mysql_real_escape_string before sending probably insecure data to MySQL.
2014-06-10 at 12:10