Well, i am making a blog in which i have to show images and links in my every post.So i have to use <a> & <img> tags in my post. but I m also using htmlentities function for "post" string variable ( like this -- <?php echo htmlentities($post); ?> ) to prevent sql injection attack. this htmlentities function will show my tags as text .So is there any way to escape these tags from htmlentities function???
i hope you have understand what i am trying to say .
waiting for any reply .....
I can't see any advantage in using htmlentities with regard to helping with security wrt SQLinjection.
AFAIK, preventing SQLinjection involves safequoting and protecting number input - where quotes aren't used to enclose data.
mysql_real_escape_string will provide safequoting and you could use intval to provide safe numbering (if you are expecting an integer). floatval could also be used. However, this type of data should be validated first, e.g. with is_int or is_float.
I don't see the advantage of using htmlentities with regard to making SQL input safe. Strip_tags shouldn't affect SQL - just ensure that your output from the DB doesn't contain any horribleness like <script>.
Mind you, I'm a hobbyist, not an expert, so anybody else with a 'pro' explanation?