4 replies to this topic

[Surpintine]

Is this overkill?

$var = $_GET['variable'];

$var = htmlentities($var);

$var = stripslashes($var);

$var = mysqli_real_escape_string($var);

and should it be in a different order?

[WingedPanther]

It depends on what you'll be doing with $var after that.

[Alexander]

Yes, it will encode any HTML entities into their entity form, which may break some database operations if it relies on raw entities.

If you are displaying it, only use:

• htmlentities()

If you are placing it into a database query:

• mysql*_real_escape_string().

A simple notice is if you strip slashes without them being required to be stripped, you may destroy data (if a slash is contained in a password, or an external document for example). It is only required on database operations if Magic Quotes (magic_quotes_gpc) is turned on, which will add quotes automatically (thus breaking _real_escape_string)

Edited by Alexander, 24 June 2010 - 08:01 PM.

[Surpintine]

Thanks a bunch.

[Alexander]

You're welcome.