Well, i am making a blog in which i have to show images and links in my every post.So i have to use <a> & <img> tags in my post. but I m also using htmlentities function for "post" string variable ( like this -- <?php echo htmlentities($post); ?> ) to prevent sql injection attack. this htmlentities function will show my tags as text .So is there any way to escape these tags from htmlentities function???
i hope you have understand what i am trying to say .
waiting for any reply .....

Edited by aaloo: n/a

5 Years
Discussion Span
Last Post by diafol

use mysql_real_escape_string() to escape. Keep the html as is. You can use strip_tags():

to allow certain tags only, e.g. anchor and image. The main problem with allowing html is <script> and badly formed/unterminated tags.

The only reason to htmlentity (IMO) is if you want to display viewable html in your page, or to stop non-terminated user-entered html from breaking your site.

Don't store htmlentity-ified text in your DB - just use it on the data when you come to display, if you really need to.

If you really must allow user-entered html, perhaps use BBCode.

Edited by diafol: n/a


I Am using mysql_real_escape_string() before store the text into database and then i am htmlentities function to display the text in browser.
can i use strip_tags() function like this

$post =htmlentities($post);
echo $post ?>

will it improve my security from sql injection ?


I can't see any advantage in using htmlentities with regard to helping with security wrt SQLinjection.

AFAIK, preventing SQLinjection involves safequoting and protecting number input - where quotes aren't used to enclose data.

mysql_real_escape_string will provide safequoting and you could use intval to provide safe numbering (if you are expecting an integer). floatval could also be used. However, this type of data should be validated first, e.g. with is_int or is_float.

I don't see the advantage of using htmlentities with regard to making SQL input safe. Strip_tags shouldn't affect SQL - just ensure that your output from the DB doesn't contain any horribleness like <script>.

Mind you, I'm a hobbyist, not an expert, so anybody else with a 'pro' explanation?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.