Home/ Questions/Q 8169547
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T20:52:33+00:00

I know htmlspecialchars is for html output and mysql_real_escape_string is for insert for the

  • 0

I know htmlspecialchars is for html output and mysql_real_escape_string is for insert for the database. I’m not sure how to apply in this scenario. For example

$search = mysql_real_escape_string(htmlspecialchars($_GET['search'],ENT_QUOTES));

mysql_query("INSERT INTO table1 VALUES ('','$search')",$this->connect);

echo "<a href='http://www.example.com/$search'>$search</a>";

Do i have to seperate the top line so mysql_real_escape_string is before the insert and htmlspecialchars is after? I’m hoping i don’t have to otherwise i have to go over alot of code..

Also would using htmlspecialchars twice do anything different then once? I’m sure somewhere in my code i have used htmlspecialchars twice on the same variable.

e.g.

$var = htmlspecialchars($one); //top of page

$var2 = htmlspecialchars($var); //another function
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    $searchTerm = $_GET['search'];

mysql_query("INSERT INTO table1 VALUES ('', '" . mysql_real_escape_string($searchTerm) . ')"', $this->connect);

echo "<a href='http://www.example.com/" . htmlspecialchars(urlencode($searchTerm), ENT_QUOTES) . "'>$search</a>";

    Only escape at the exact moment needed, once. In your case, since the value is supposed to be part of a URL, it needs to be URL encoded. Since that URL is then made part of HTML, it needs to be HTML escaped.

    • 0