Is mysql_real_escape_string(htmlspecialchars()) really useful ? why?

Question

Is it really usefull to have something like :

$passe = mysql_real_escape_string(htmlspecialchars($_POST['passe']));

why do we use this? how to optimize it ?

Thank you

<?php
mysql_connect("localhost", "root", "");
mysql_select_db("nom_db");

$passe = mysql_real_escape_string(htmlspecialchars($_POST['passe']));
$passe2 = mysql_real_escape_string(htmlspecialchars($_POST['passe2']));
if($passe == $passe2)
{
    script here
}

else
{
    echo 'Your password is wrong';
}
?>

Answer 1

Using htmlspecialchars() like you is pointless, because for strings:

mysql_real_escape_string(htmlspecialchars($_POST['passe'])) == 
    mysql_real_escape_string(htmlspecialchars($_POST['passe2']));

Is as equal as:

$_POST['passe'] == $_POST['passe2']

Answer 2

Your full code in the pastebin shows that the variables are used later for a database query.

mysql_query("INSERT INTO validation VALUES('', '$pseudo', '$passe', '$email')"); 

mysql_real_escape_string() is a must here; htmlspecialchars isn't, for the reasons @Quentin explained so well above.

Use htmlspecialchars later in the output if anything of what you insert gets output on a HTML page.

Answer 3

Using Of htmlspecialchars keep you protected from xss but there is bypass method if you will add this word to url

like

` link name ' ;

bypass will use javascript onmouseout onhover else That require magic_qutoes off

---

addslashes & mysql_real_escape_string protect from sql injection

by ignore the ' or " quotes

but the good way to remove this words after make it in lowercase

mean $username = strtolower($_GET['ser']); if(preg_match("(select|and|or|union|into|from|information|schema|.user|concat|group)\", $username)){ die("Error : Hacking Attemp "); }

Answer 4

You should only use mysql_real_escape_string($var) when passing untrusted variables in to a database query like so:

$query = mysql_query("SELECT * FROM `foo` WHERE `bar` = '".mysql_real_escape_string($_POST['username'])."'");

It is important to do this to protect against SQL injection attacks.

As for htmlspecialchars(), this should be used when outputting untrusted variables to page, it will strip out any HTML to prevent an variable outputting unwanted or dangerous HTML on top a page (javascript for example).

In your example, you need neither functions as you are just comparing them and are not putting them in a database or on a webpage.

Answer 5

In that code example, it isn't useful at all.

htmlspecialchars converts characters with special meaning in HTML into entities. That is essential if you have some text that you want to insert into an HTML document (as it stops, for instance, characters such as < being treated as the start of tags, and protects against XSS).

mysql_real_escape_string converts characters with special meaning in MySQL SQL queries into escapes. This allows you to insert arbitrary strings into a MySQL database safely (protecting against errors and injection. There are, however, better ways to do the same thing.

In this case, you are just comparing two strings. Running them through a bunch of conversions isn't going to do anything useful.