Difference between htmlspecialchars and mysqli_real_escape_string?

Question

I read in a PHP book that it is a good practice to use htmlspecialchars and mysqli_real_escape_string in conditions when we handle user inputed data. What is the main difference between these two and where they are appropriate to be used? Please guide me.

possible duplicate of [htmlspecialchars or mysql_real_escape_string?](http://stackoverflow.com/questions/3603146/htmlspecialchars-or-mysql-real-escape-string) — ajreal, Dec 07 '11 at 16:48

score 11 · Accepted Answer · answered Dec 07 '11 at 16:50

11

htmlspecialchars: "<" to "& lt;" (Replaces HTML-Code)

mysqli_real_escape_string: " to \" (Replaces Code, that has a meaning in a mysql-query)

Both are used to be save against some attacks like SQL-Injection and XSS

answered Dec 07 '11 at 16:50

EGOrecords

1,869
2
19
33

Can you kindly explain it with an example – Naeem Ul Wahhab Dec 07 '11 at 16:52
1

htmlspecialchars("< b >ä< /b >") == "& lt; b & lt;ä & lt; /b & gr;" – EGOrecords Dec 09 '11 at 17:00
1

mysql_real_escape_string (") [imagine the qoutes around] == \", – EGOrecords Dec 09 '11 at 17:01

score 9 · Answer 2 · answered Dec 07 '11 at 16:48

9

These two functions are used for completely different things.

htmlspecialchars() converts special HTML characters into entities so that they can be outputted without problems. mysql_real_escape_string() escapes sensitive SQL characters so dynamic queries can be performed without the risk of SQL injection.

You could just as easily say that htmlspecialchars handles sensitive OUTPUT, while mysql_real_escape_string handles sensitive INPUT.

Shai

answered Dec 07 '11 at 16:48

Shai Mishali

8,156
4
50
79

1

Can you kindly explain it with an example – Naeem Ul Wahhab Dec 07 '11 at 16:52
I think @EGOrecords already explained it. Also i recommend reading the manual as it has all the needed examples: http://php.net/htmlspecialchars , http://php.net/mysql_real_escape_string – Shai Mishali Dec 08 '11 at 08:48

score 7 · Answer 3 · edited May 23 '17 at 12:24

7

The two functions are totally unrelated in purpose; the only attribute they share is that they are commonly used to provide safety to web applications.

mysqli_real_escape_string is meant to provide safety against SQL injection.

htmlspecialchars is meant to provide safety against cross-site scripting (XSS).

Also see What's the best method for sanitizing user input with PHP? and Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

edited May 23 '17 at 12:24

Community

1
1

answered Dec 07 '11 at 16:49

Jon

413,451
75
717
787

Can you kindly explain it with an example – Naeem Ul Wahhab Dec 07 '11 at 16:51
@TheNoble-Coder: Look at the questions I link to. Also, google is your friend. – Jon Dec 07 '11 at 16:52

score 2 · Answer 4 · answered Dec 07 '11 at 16:49

htmlspecialcharacters turns 'html special characters' into code, such as quotes (both single and double), ampersands, and less than/greater than signs. This function is generally used to ensure that content users post on your website doesn't have HTML tags or XSS scripts.

mysql_real_escape_string escapes strings, meaning it adds the \ in front of slashes, quotes(both single and double), and anything else that can mess up a mysql query. This function ensures that no one is executing SQL commands on your server and getting information from the database.

Can you kindly explain it with an example – Naeem Ul Wahhab Dec 07 '11 at 16:53 — Naeem Ul Wahhab, Dec 07 '11 at 16:53

Difference between htmlspecialchars and mysqli_real_escape_string?

4 Answers4