As several of us explained, htmlentities does NOT strip out code. It changes items such as an ampersand
( & ) into a HTML version. ( & ) … This is so that browsers can display the values. Nothing to do with
security.
Mysqli_real_escape_string adds in a slash ( \ ) in front of items that might make the string act weird in many
ways on pages or inside of databases. This will quite often defeat the casual hacker, but, there are ways
around it by good hackers using SQL-Injection. This has been predicated and not a standard now. The way
it is now done is with prepared statements. The question mark ( ? ) in a prepared statement tells the code
on the server and the SQL software that input is coming and should not be executed. It is data and is only
used as data. That is the secure way to handle it these days.
Astonecipher showed you how easy it is to make you be redirected to another site by use of a typed in
value. He showed it by entering text into a variable named $issue. This could be your site and the form’s
first name field.
Prepared statements are very simple. You basically just replace the data in the QUERY with ?'s and then
fill in that data when you call it. The MySQL database system takes care of the rest… Here is a link to a
site that explains it. You can press the “Next Chapter” button to look at other parts of how to set up DB
communications… This sampler shows both MySQLi and PDO. Hope it helps…
http://www.w3schools.com/php/php_mysql_prepared_statements.asp
I suggest your read the php.net manual on these and try to understand that it is not protecting your DB in
the way your think it is. Or, just test it… Create a small page that takes your inputs and displays them
back to you so you can see what we are talking about… Something like:
$temp = $_POST[‘fname’];
echo $temp . “
” . htmlentities($temp) . “
” . mysqli_real_escape_string($temp);
Then, type in various things that you are thinking is not safe into the first name field and see what you
get back from it. It does not strip out code and does not make the field safe from code infection. These
DO help in formatting the string so it can be used in a QUERY, but, it does not really protect you. That is
the big difference.