Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>First: <a href="http://www.php.net/htmlentities" rel="nofollow noreferrer"><code>htmlentities</code></a> or just <a href="http://www.php.net/htmlspecialchars" rel="nofollow noreferrer"><code>htmlspecialchars</code></a> should be used for escaping strings that you embed into HTML. You shouldn't use it for escaping string when you insert them into a SQL query - Use <a href="http://www.php.net/mysql_real_escape_string" rel="nofollow noreferrer"><code>mysql_real_escape_string</code></a> (For MySql) or better yet - use <a href="http://www.php.net/pdo-prepare" rel="nofollow noreferrer">prepared statements</a>, which have bound parameters. Make sure that <code>magic_quotes</code> are turned off or disabled otherwise, when you manually escape strings.</p> <p>Second: You don't unescape strings when you pull them out again. Eg. there is no <code>mysql_real_unescape_string</code>. And you shouldn't use <code>stripslashes</code> either - If you find that you need, then you probably have magic_quotes turned on - turn them off instead, and fix the data in the database before proceeding.</p> <p>Third: What you're doing with <code>html_entity_decode</code> completely nullifies the intended use of <code>htmlentities</code>. Right now, you have absolutely no protection against a malicious user injecting code into your site (You're vulnerable to cross site scripting aka. XSS). Strings that you embed into a HTML context, should be escaped with <a href="http://www.php.net/htmlspecialchars" rel="nofollow noreferrer"><code>htmlspecialchars</code></a> (or <code>htmlentities</code>). If you absolutely <em>have</em> to embed HTML into your page, you have to run it through a cleaning-solution first. <a href="http://www.php.net/strip_tags" rel="nofollow noreferrer"><code>strip_tags</code></a> does this - in theory - but in practise it's very inadequate. The best solution I currently know of, is <a href="http://htmlpurifier.org/" rel="nofollow noreferrer">HtmlPurifier</a>. However, whatever you do, it is always a risk to let random user embed code into your site. If at all possible, try to design your application such that it isn't needed.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload