I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string
is the correct function to use when inserting data into MySQL tables because addslashes
can cause some weird things to happen for a smart attacker. Right?
However, there is one thing that is confusing me. I seem to remember being advised addslashes
is better than htmlentities
when echoing user-entered data back to users to protect their data, but it seems like addslashes
is the one with the vulnerability. Is this true, or am I remembering incorrectly?
You could also use the PDO libs which does most of the escaping for you, in case you may use PHP5 on the servers.
On echoing back I'd personally prefer htmlspecialchars, but one might correct me