Home/ Questions/Q 4062598
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T15:37:07+00:00

I have been using: if ($_POST[‘Comments’]!=){ $comments = mysql_real_escape_string($_POST[‘Comments’]); }else{ $comments = ; }

  • 0

I have been using:

if ($_POST['Comments']!=""){
  $comments = mysql_real_escape_string($_POST['Comments']);
}else{
  $comments = "";
}

ever since a user added and apostraphy to their data and it broke my sql statement. I thought this also secured the data at the same time. But just now I got a submission and in the comment field in the database I see:

 /r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r/r
<a href="http://seowebsite.com">seohelp</a>

And the email I get when someone submits had the text with the links actually working.

I thought mysql_real_escape_string() was supposed to get rid of all that?

Any suggestions? I was thinking of doing a function that does all the string cleaning for me in a few different steps. But if there is a way to secure in just one step that would be great.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    mysql_real_escape_string() only protects* you against SQL Injection, not against Cross-Site Scripting (XSS).

    * mysql_real_escape_string() doesn’t behave properly when used in conjunction with SET NAMES because it is unaware of the charset being used. Use mysql_set_charset() instead.

    In order to protect yourself against XSS, you must also use htmlentities() or htmlspecialchars() either at insert time (before mysql_real_escape_string()) or at display time.

    $escaped = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');

    If you want to allow some HTML content, use HTML Purifier with a whitelist of elements and attributes you want to allow.

    • 0