When to use which string escaping method? [closed]

Answer 1

when you insert data to a mysql database use this:

mysql_real_escape_string()

when you're going to display content a user gave you:

htmlentities()

if you database doesn't have it's own function in php, you could use: addslashes() , but it's not recommended to use when you have something specific that is better (mysql_real_escape_string()).

see this for more info:

Htmlentities vs addslashes vs mysqli_real_escape_string

P.S you should use mysqli_real_escape_string(), not mysql_real_escape_string().

EDIT:

to really prevent attacks, this is good reading material : http://www.php.net/manual/en/security.database.sql-injection.php...

You should also look into prepared statements: http://www.php.net/manual/en/mysqli.prepare.php

a lot of info is also available here on stack overflow.

Answer 2

which should I use in what situation?

• htmlentities(). never use it, but htmlspecialchars(). For printing untrusted user input into browser.
• mysql_real_escape_string is mysql database specific function. here is a comprehensive guide I wrote exactly on topic where to use it and where not and what else you need to know on mysql database security
• addslashes(). it depends. most of time you just don't need it at all

Answer 3

• addslashes() / stripslashes() goes back to a rather bad idea called 'Magic Quotes' which has since been deprecated. It automatically escaped special characters, and you could then use addslashes() and stripslashes() to add or remove them. One of the problems was that you were never quite sure whether the data currently had slashes or not, and thus you ended up putting unescaped data into SQL, or had extra slashes on your web page.
• htmlentities() is used often to display HTML on the page. If you try to write <b>Something</b> to a HTML page, you will just see Something (i.e. the original text in bold) - you won't see the bold tags around it. Using htmlentities('<b>Something</b>') converts the code to <b>Something<b> so in the browser you see the triangle brackets.
• mysql_real_escape_string() is useful for defending against MySQL injection attacks - it escapes unsafe characters in strings. It does not escape anything in other data types, and so those need to be dealt with separately. It also does not encode % and _, which are used as wildcards in some queries.

In summary:

• If you're encoding to write to a HTML page, use htmlentities()
• If you're encoding a string to write to a database, use mymysql_real_escape_string()
• Never use addslashes()

Answer 4

It's all a variation on the same theme:

$bar = "O'Reilly";
"foo = '$bar'";  // foo = 'O'Reilly' -> invalid syntax

Blindly concatenating strings together may lead to syntax violations if the strings are supposed to follow a special syntax. At best this is an annoyance, at worst a security problem. Escaping values prevents these problems. Generic example:

"foo = '" . escape($bar) . "'";  // foo = 'O\'Reilly'

All the different functions are escaping values properly for different syntaxes:

htmlentities for escaping output for HTML.
mysql_real_escape_string for escaping values for SQL queries.
addslashes… not really good for anything, don't use.
json_encode for encoding/escaping/converting values for Javascript format.