Home/ Questions/Q 6657097
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T01:43:30+00:00

I got $id = (int) $_POST[‘id’] $content = filter_input(INPUT_POST, ‘post_content’, FILTER_SANITIZE_STRING); The above, is

  • 0

I got

$id = (int) $_POST['id']
$content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING);

The above, is making my $content string secured, when I post it to the database:

$conn->new->query("UPDATE `posts` SET `content` = " . $conn->escape_string($content) . " where `id` = {$id};");

But at the same, is does remove some special characters like tags, for example I can not use < in my post , because it’ll be removed.

How can I modify that, to be secured enough and at the same prevent my code from hack?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Escaping is the process of allowing certain characters that could have detrimental effects on the target system. For example, MySQL uses characters like quotes and parentheses. mysql_real_escape_string escapes such characters so they don’t pollute the queries.

    You don’t necessarily need to sanitize HTML from data before storing it in the database, but you MUST escape harmful characters. As @Damien pointed out in a comment, you can escape HTML (which could have detrimental effects on your HTML) before output .

    • 0