php safe output

Question

I'm trying to make a "remember fields" thingy, so if there is one error you won't have to fill in the whole form again. But how can I make the output safe?

Example:

<input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? htmlspecialchars($_POST['email']) : ''; ?>" />

If someone types in " ' " (without the quotes) for example you get:

Warning: mysql_result() expects parameter 1 to be resource, boolean given in C:\wamp\www\pages\register.php on line 55

So then I tried:

<input type="text" name="email" value="<?php echo (isset($_POST['email'])) ? mysql_real_escape_string($_POST['email']) : ''; ?>" />

Then it just adds a lot of //////.

What should I do?

I'm a noob yes. But I thought htmlspecialchars made user input safe?

possible duplicate of Warning: mysql_fetch_* expects parameter 1 to be resource, boolean given error — j0k
– j0k, Commented Aug 1, 2012 at 7:28
possible duplicate of How to fix this error "mysql_fetch_assoc() expects parameter 1 to be resource, boolean given in"? — Jürgen Thelen
– Jürgen Thelen, Commented Aug 2, 2012 at 13:11

Community · Accepted Answer · 2020-06-20 09:12:55Z

8

It depends on context.

htmlspecialchars() is your friend in HTML.

mysql_real_escape_string() is your friend in MySQL.

Update

You could run all your $_POST through htmlspecialchars() first with this...

$encodedHtmlPost = array_map('htmlspecialchars', $_POST);

edited Jun 20, 2020 at 9:12

CommunityBot

11 silver badge

answered Feb 12, 2011 at 0:08

alex

492k205 gold badges891 silver badges992 bronze badges

Sign up to request clarification or add additional context in comments.

1 Comment

RobertPitt Over a year ago

or, Output = htmlspecialchars, DB Input = mysql_real_escape_string

mario · Accepted Answer · 2011-02-12 00:23:14Z

3

As for html escaping, you should use a wrapper function because htmlspecialchars needs some parameters to produce reliably safe output:

 htmlspecialchars($text, ENT_QUOTES, "UTF-8");

answered Feb 12, 2011 at 0:23

mario

146k20 gold badges243 silver badges293 bronze badges

Comments

Mārtiņš Briedis · Accepted Answer · 2011-02-12 00:10:05Z

2

You have to use mysql_real_escape_string() before you put data in database, not for the output! It will prevent SQL injections. Use htmlspecialchars when outputting data to user, it prevents XSS attacks.

When inserting in database:

$data = mysql_real_escape_string($data);

mysql_query("INSERT INTO table1(data) VALUES('$data')"); //Safe insertion

When outputting to user:

echo htmlspecialchars($data);

answered Feb 12, 2011 at 0:10

Mārtiņš Briedis

17.9k5 gold badges59 silver badges78 bronze badges

1 Comment

Terradon Over a year ago

There is no such thing like injection but improperly formatted query only. Prepared statements are the proper way to be 100% safe, read more at phpdelusions.net/sql_injection Data should be stored unmodified! htmlspecialchars() seems a good way to go for the html-output, see answer of mario.

Collectives™ on Stack Overflow

php safe output

3 Answers 3

Update

1 Comment

Comments

1 Comment

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Update

1 Comment

Comments

1 Comment

Your Answer

Sign up or log in

Post as a guest

Related