FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


htmlentities and htmlspecialchars





imagefree
whats the difference between htmlspecialchars() and htmlentities() functions.

As per manual:

Quote:
htmlspecialchars — Convert special characters to HTML entities
htmlentities — Convert all applicable characters to HTML entities


i cant understand the difference. i previously used htmlspecialchars() widly in a script, but today i saw htmlentities() used as an alternative in a script. the manual differenciate them differently, so i need your help for explanation.


thanks

Edit: One more question. Are the characters like !@#$%^&*()_+- or similar characters dangerous if i let users use these characters in their usernames? (dangerous means dangerous for mysql and browser).
rvec
not all of them are dangerous, but allowing users to execute javascript on a page is dangerous and allowing users to put '"# in a mysql statement is also dangerous, of course a lot of other stuff can be dangerous, so best would be to escape anything you put in mysql with the mysql escape command and everything that you put in your html with html special char
imagefree
rvec wrote:
not all of them are dangerous, but allowing users to execute javascript on a page is dangerous and allowing users to put '"# in a mysql statement is also dangerous, of course a lot of other stuff can be dangerous, so best would be to escape anything you put in mysql with the mysql escape command and everything that you put in your html with html special char


mysql escape? addslashes()?
Stubru Freak
A lot of characters have html entities (like &), even non-dangerous ones (like ). htmlentities changes them, while htmlspecialchars only changes the dangerous ones.

For SQL, you should do mysql_real_escape_string . It's safer than addslashes, because it asks MySQL for what characters are dangerous, instead of just assuming.
imagefree
i think mysql_real_escape_string necessarily requires a prior connection to mysql, isnt it?
rvec
yes, but since you only need it if you work with mysql you should be able to manage Razz
jmlworld
imagefree wrote:
i think mysql_real_escape_string necessarily requires a prior connection to mysql, isnt it?


Since you are sending data to MySQL, you connect to MySQL before sending that certain data, isn't it?


By the way, I think mysql_real_escape_string is the secure, powerful and safer!
imagefree
This is the characterSet (allowed characters). Is it safe (i will definitely escape when using mysql).
Code:
define(   'ALLOWED_CHARS' , '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-{}[]()' );
define(   'ANAME_ALLOWED_CHARS' , ALLOWED_CHARS.' ?.,;:+=|~' );


ALLOWED_CHARS are allowed characters for username.
ANAME_ALLOWED_CHARS are allowed characters for Article Name (like phpbb post title).
Related topics
req: PHP to list files in directory, and link to them
script backup database
PHP function(); &file=""?
error in my PHP script
need php help save command
Reducing Exploits
PHP upgrade?
Something wrong with signatures
Seguridad en PHP
help with php needed
htmlspecialchars
information about phpnuke don'nt accept unicode or latin1
Undo htmlspecialchars
Escaping Strings For Data Insertion
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.