I've been doing some reading on securing PHP applications, and it seems to me that mysqli_real_escape_string
is the correct function to use when inserting data into MySQL tables because addslashes
can cause some weird things to happen for a smart attacker. Right?
However, there is one thing that is confusing me. I seem to remember being advised addslashes
is better than htmlentities
when echoing user-entered data back to users to protect their data, but it seems like addslashes
is the one with the vulnerability. Is this true, or am I remembering incorrectly?