user892134
Reputation: 3224
htmlentities or htmlspecialchars or stripslashes? Which one to use?
When i insert user input data into the mysql database i use, mysql_real_escape_string. The input data contains bbcode e.g. [img][/img].
Below is a line for when the html is output.
$information = $this->bbcode(stripslashes($this->swearfilter($row['information'])),1);
echo $information;
Regarding this example, is this the correct way to prevent a XSS attack or do i use htmlspecialchars($var,ENT_QUOTES) or htmlentities?
Upvotes: 0
Views: 1467
Answers (2)
Ganesh Bora
Reputation: 1153
$message = preg_replace('#\[img\](.*?)\[/img\]#', '<img src="$1" />', $message);
Upvotes: 0
Related Questions
- htmlspecialchars vs htmlentities when concerned with XSS
- htmlentities() vs. htmlspecialchars()
- Should I be using htmlspecialchars?
- PHP htmlentities or htmlspecialchars
- Is it redundant to use htmlspecialchars for input then use htmlentities on output?
- Should I use ENT_QUOTES with htmlspecialchars or not
- Using htmlspecialchars() in php/html the correct and professional way
- The use of htmlspecialchars() or htmlentities() in prepared statements
- stripslashes_deep vs htmlspecialchars
- Htmlentities vs addslashes vs mysqli_real_escape_string