Difference between htmlspecialchars and mysqli_real_escape_string?

Question

I read in a PHP book that it is a good practice to use htmlspecialchars and mysqli_real_escape_string in conditions when we handle user inputed data. What is the main difference between these two and where they are appropriate to be used? Please guide me.

Answer 1

When to use real_escape_string?

Short: Use when building queries which depend on user submitted data.

Long: When saving user submitted data to your database in a manner which does not use prepared statements (these are escaped by default). What it does is prevent situations as the following

(DO NOT DO THIS):

txtSQL = "SELECT * FROM Users WHERE UserId = " + $_GET("userid");

Using real_escape_string($_GET("userid") instead of the raw parameter prevents that an attacker gets all users sending a userid parameter which is formed like this: '100 OR 1=1'. This would be concatenated and yield the query:

SELECT * FROM Users WHERE UserId = 100 OR 1=1;

Which would return all users data in the database.

Real escape string would escape 100 OR 1=1 in a way that it would not be interpreted as valid SQL and thus would not yield all user data.

More on SQL injection

When to use htmlspecialchars?

Short: Use when echoing user submitted data to your page.

Long: If user manages to save a string like:

<script>alert("Stealing your cookies")</script>

to your database which is then presented to other users and you echo it without htmlspecialchars the javascript code in the script tag would execute on the users machine, which is just bad news, as now pretty much any data within the browser could be stolen (cookies/localstorage) or the user be redirected.

The resulting string of htmlspecial chars on the aforementioned script tag would be:

<script>alert('Stealing your cookies')'</script>

Which would be displayed on the page and not be interpreted as javascript code.

Answer 2

htmlspecialchars: "<" to "& lt;" (Replaces HTML-Code)

mysqli_real_escape_string: " to \" (Replaces Code, that has a meaning in a mysql-query)

Both are used to be save against some attacks like SQL-Injection and XSS

Answer 3

htmlspecialcharacters turns 'html special characters' into code, such as quotes (both single and double), ampersands, and less than/greater than signs. This function is generally used to ensure that content users post on your website doesn't have HTML tags or XSS scripts.

mysql_real_escape_string escapes strings, meaning it adds the \ in front of slashes, quotes(both single and double), and anything else that can mess up a mysql query. This function ensures that no one is executing SQL commands on your server and getting information from the database.

Answer 4

The two functions are totally unrelated in purpose; the only attribute they share is that they are commonly used to provide safety to web applications.

mysqli_real_escape_string is meant to provide safety against SQL injection.

htmlspecialchars is meant to provide safety against cross-site scripting (XSS).

Also see What's the best method for sanitizing user input with PHP? and Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

Answer 5

These two functions are used for completely different things.

htmlspecialchars() converts special HTML characters into entities so that they can be outputted without problems. mysql_real_escape_string() escapes sensitive SQL characters so dynamic queries can be performed without the risk of SQL injection.

You could just as easily say that htmlspecialchars handles sensitive OUTPUT, while mysql_real_escape_string handles sensitive INPUT.

Shai