Hi; For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ? thanks in advance
+1
A:
What are you defending against? A vulnerability is highly dependent on how the data is being used. Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.
For XSS you should use: htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var);
If you are passing user input to system() or another similar function then you should use escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems.
Rook
2010-07-06 17:37:41
Defending against both XSS and injection. Do this mean that "I have to" mix theme anyway?
phpExe
2010-07-06 18:02:37
@phpExe No, not really. XSS is only an issue when you are printing data, and sql injection is only an issue when you are building queries. If you **really** want data to be htmlspecialchar'ed in the database (i advise against this because it can screw up comparisons) then do a `mysql_real_escape_string(htmlspecialchars($var, ENT_QUOTES));`. In the case of sql injection make sure the escape routine is always the very last operation before building the query.
Rook
2010-07-06 18:13:08
Thanks The Rook, You are my idol.
phpExe
2010-07-06 18:16:20