Mccodes security

**mr moon** · 03-12-2011, 12:09 PM

Hello i am wondering, if htmlentities and htmlspecialchars are the same thing.

If they are not the same thing, what does htmlentities do?

I have seen a code like this

$_POST['post'] = mysql_real_escape_string(htmlentities($_POST['post']));

so if htmlentities and htmlspecialchars are not the same thing how would i put htmlspecialchars in the code above? woluld it be like this?

$_POST['post'] = mysql_real_escape_string(htmlspecialchars($_POST['post']));

I will appreciate it if anyone can help me :P

Thanks
Mr Moon

**lucky3809** · 03-12-2011, 03:20 PM

they arent the same but very similar
htmlentities — Convert all applicable characters to HTML entities
htmlspecialchars — Convert special characters to HTML entities

there is no need to use both, if you want everything html not to go through a post then you would use htmlentites.
If you only want special characters not to go through then you use the other one htmlespecialchars... using both is useless imo. lol.

and yes you have the correct way of placing the function!

**mr moon** · 03-12-2011, 03:29 PM

Oh thanks i am kinda understanding it now

Well this is what htmlspecialchars secured:

I think it secures your site from HTML injection and some XSS attacks

So does htmlentitles do the same thing or does it also secure from all xss attacks?

Also what do you mean if i dont want special characters to go through like what kinda character and which would be the best to use for Mccodes v2 htmlspecialchars or htmlentitles?

Thanks Mr moon :P

**lucky3809** · 03-12-2011, 04:58 PM

Yes you got the correct idea about htmlspecialchars.
they both secure from xss attacks and html injections.
here is 2 sites that may help you understand them both!
http://www.php.net/manual/en/functio...ecialchars.php
http://sqa.fyicenter.com/Online_Test...P_Function.php