afridy — 2012-06-23T02:35:36-04:00 — #1
1 | carpenter
2 | Foreman Insp. & Valves Rooms
User selects "Foreman Insp. & Valves Rooms" from a selection list in a form.
now i validate his input gainst htmlentities() and mysql real escape string() to prevent sql injections.
then i compare his input with our 'table positions".
problem is it does not match even though input and table data are identical
but if i remove htmlentities() from the validations, it compare correctly.
how to solve this issue? coz i need htmlentities() in place as a security messure.
cups — 2012-06-23T06:50:06-04:00 — #2
No, you have not understood something fundamental.
htmlentities is an escaping mechanism for when the next target environment is a html stream, for a webpage, it escapes potentially dangerous characters which could lead to XSS attack.
mysql_real_escape_string is an escape mechanism for when the next target environment is mysql, it escapes potentially dangerous characters that could lead to an SQL injection style attack.
I have heard of some saying they use both, so that their data is always ready to be displayed on a webpage, but this would clearly depend upon all their data being html escaped, from when they originally put it in there.
This is not the common practice though AFAICT.
If you HAD put html escaped data in your table then your query would match, as far as I can see.
serverstorm — 2012-06-23T09:03:49-04:00 — #3
Just to add... normally htmlentities() should be used on the output/display of your data. People who have stored htlentities() code in their db, often complain about not being able to work with the data (other than display it on an Web Page) afterwards . So escape on output filter on input. Use mysql_real_escape_string before inserting/updating your tables; or bind parameters using PDO or MYSQLI (I personally prefer the PDO binding style but other like MYSQLI's)