Home/ Questions/Q 8211239
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T10:21:45+00:00

I need to check something here, I know with some code they filter out

  • 0

I need to check something here, I know with some code they filter out AS the input is obtained in the one single line of code, here I have done it AFTER obtaining the code, in a sequential order, is this also acceptable? or do I have to figure out someway of filtering and escaping the data in the one line whilst at the same time obtaining the data? Here’s a sample of what Im sort of talking about…

  // Get data and prevent XSS attack
  $user = htmlentities($_POST['email'], ENT_QUOTES, 'UTF-8');
  $pass = htmlentities($_POST['pass'], ENT_QUOTES, 'UTF-8');

  // MySQL Injection prevention
  $userdata = mysql_real_escape_string($user);
  $passdata = mysql_real_escape_string($pass);

Thoughts?

Key objective I’m trying to achieve here is to escape a MySQL injection attempt AND prevent an XSS attack

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    It is not enough to use mysql_real_escape_string. There are certain situations where invalid multi-byte encodings can be exploited to inject SQL attacks (unlike with addslashes, this type of attack with mysql_real_escape_string can only happen if the character encoding is overridden in the connection string).

    You should also use prepared statements when interacting with MySQL.

    With regard to XSS, consider integrating HTML Purifier.

    HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C’s specifications.

    • 0