htmlentities() or strip_tags()?

Joseph_Witchard

Which is a better method to use when working with databases?

dagon

they both have there place, depending on what you want to achieve. I don't see why you want either for selecting that information.

mysql_real_escape_string() to sanitise user input

Joseph_Witchard

Do you only need to use htmlentities/strip_tags if you're inserting data?

dagon

that depends on the data, and what you want to do with it. You seem to be looking for a one size fits all answer (there is not one)

Weedpacket

It depends on what you want the data for. (That code doesn't insert anything, only selects; it would seem perfectly reasonable for people to want something like "&" in their username, or "<foo>" in their password.)

laserlight

Joseph Witchard wrote:
Do you only need to use htmlentities/strip_tags if you're inserting data?

No. You should use them when you are displaying data in the context of HTML. (Though I would be very cautious with the use of strip_tags since it is rather destructive.)

By the way, your signature does not demonstrate MySQLi. It demonstrates the assignment of a string literal to a variable in PHP 😉

Bjom

...and finally if your signature is meant to point to prepared statements....

That would work like below and actually be the safest way for sanitizing data:

$conn = new mysqli(....);
$query = 'INSERT INTO users (post_id, username, password) VALUES(?,?,?)';
$stmt = $conn->prepare($query);
$postID = '9A32142ADA223';
$username = 'Herodot';
$password = 'blah'
$stmt->bind_param('sss', $postID, $username, $password);
$stmt->execute();

Stripping html entities won't hurt either before displaying or before inserting to prevent 2nd order "creativity".

Joseph_Witchard

laserlight;10922462 wrote:
No. You should use them when you are displaying data in the context of HTML. (Though I would be very cautious with the use of strip_tags since it is rather destructive.)

By the way, your signature does not demonstrate MySQLi. It demonstrates the assignment of a string literal to a variable in PHP 😉

How is strip_tags() destructive?

And as to my signature, I just put that up because every time I had a problem with PHP and MySQL, someone would come along and go "I think it's the question marks that's causing the errors." (I think many people still use the old MySQL functions.) I haven't had that happen once since I started using this signature😉

Weedpacket

Joseph Witchard wrote:
How is strip_tags() destructive?

It strips out HTML tags. That's a destructive operation.