php - Do I need htmlentities() or htmlspecialchars() in prepared statements? -


in article http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html, says followings:

there numerous advantages using prepared statements in applications, both security , performance reasons.

prepared statements can increase security separating sql logic data being supplied. separation of logic , data can prevent common type of vulnerability called sql injection attack.

normally when dealing ad hoc query, need careful when handling data received user. this entails using functions escape of necessary trouble characters, such single quote, double quote, , backslash characters.

this unnecessary when dealing prepared statements. separation of data allows mysql automatically take account these characters , not need escaped using special function.

does mean don't need htmlentities() or htmlspecialchars()? assume need add strip_tags() user input data? right?

htmlentities , htmlspecialchars used generate html output sent browser.

prepared statements used generate/send queries database engine.

both allow escaping of data; don't escape same usage.
so, no, prepared statements (for sql queries) don't prevent using htmlspecialchars/htmlentities (for html generation)

about strip_tags: remove tags string, htmlspecialchars transform them html entities.
2 functions don't same thing; should choose 1 use depending on needs / want get.

for instance, piece of code:

$str = 'this <strong>test</strong>'; var_dump(strip_tags($str)); var_dump(htmlspecialchars($str));

you'll kind of output:

string 'this test' (length=14) string 'this &lt;strong&gt;test&lt;/strong&gt;' (length=43)

in first case, no tag; in second, escaped ones.

and, html output:

$str = 'this <strong>test</strong>'; echo strip_tags($str); echo '<br />'; echo htmlspecialchars($str);

you'll get:

this test <strong>test</strong>

which 1 of want? that important question ;-)


Comments

Post a Comment

Popular posts from this blog

How to provide Authorization & Authentication using Asp.net, C#? -

Image
i have asp.net application in c#. i have provide page authorization specific user/usergroup. i have created 2 tables in database: 1) pagename 2)permissions[insert, update, view, delete] but i'm unable match tables , permissions assigning... can 1 please me, how created tables in database , how coding. please me. you can below explanation. configure access specific file , folder, set forms-based authentication. request page in application redirected logon.aspx automatically. in web.config file, type or paste following code. this code grants users access default1.aspx page , subdir1 folder . <configuration> <system.web> <authentication mode="forms" > <forms loginurl="login.aspx" name=".aspnetauth" protection="none" path="/" timeout="20" > </forms> </authentication> <!-- section denies access files in...
Read more

toolbar - How to add link to user registration inside toobar in admin joomla 3 custom component -

im trying write component admin side , need add user creation. dont want duplicate existing codes add link. know how add task not simple link toolbar. thx help. if wanting button opens new user screen can try in component: $bar = jtoolbar::getinstance('toolbar'); $bar->appendbutton('link', 'users', 'new user','index.php?option=com_users&task=user.add'); you need add view.html.php file wherever you're creating toolbar. is need?
Read more

How to use Authorization & Authentication in Asp.net, C#? -

i using roll management , trying give page , folder access according user or user group, using server created ad group user authentication. i have default1.aspx page default , subdir1 folder give different access separate user group i using below logic in web.config. <location path="subdir1"> <system.web> <authorization> <allow users ="?" /> </authorization> </system.web> </location> i facing problem provide same access 2 or more directory same user should have provide allow user code twice both folder? i can use logic repeating value folder want access providing in 1 logic. i have got answer configure folder/page access, have make different access shown below.. configure access specific file , folder, set forms-based authentication. request page in application redirected logon.aspx automatically. in web.config file, done following code. this code grants user...
Read more