confused when to use addslashes and when to use htmlentities [duplicate]

This question already has answers here: Closed 11 y开发者_运维知识库ears ago.

Possible Duplicates:

Htmlentities vs addslashes vs mysqli_real_escape_string

When to use which string escaping method?

Hi, I get very confused when to use addslashes and when to use htmlentities.

can you please tell me a example where in i should use addslashes and when to use htmlentities.

---

• Never use addslashes.

• Also never use htmlentities()^*

• Use htmlspecialchars() when outputting untrusted content in the context of a HTML page.

In general, there is usually one correct method of escaping/sanitizing your data, depending on what you want to do with it. If you tell us more about what you are trying to do, somebody will be able to point you into the right direction.

_{^* = unless you need it, which is usually never. htmlentities() turns many more characters than necessary into their respective HTML entities, which has become largely superfluous in the days of UTF-8. For security, the range of characters covered by htmlspecialchars() is enough.}

---

It's slightly confusing, I agree. But, let's see if we can help :)

htmlentities makes data safe for outputting into an HTML document. The PHP manual says.

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

But keep in mind that using htmlentities() in an UTF-8 encoded document should be avoided at all costs! There are always problems, see http://www.phpwact.org/php/i18n/charsets#common_problem_areas_with_utf-8

addslashes makes data safe for a few other situations, but if your database has its own then use that, for MySQL (mysql_real_escape_string is needed there)