does htmlspecialchars() remove sql injection?

[sc_king]

I'm using htmlspecialchars on my textarea and want to keep the html format while removing sql injection. Is htmlspecialchars good for this?

[NogDog]

No. htmlspecialchars() is for filtering output to be sent to a web browser. For data to be output via SQL to a database you want to use a function that escapes certain characters that are "special" to SQL, preferably one specific to the DBMS in question, such as mysql_real_escape_string() for MySQL.

[sc_king]

Are there any other techniques other than mysql_real_escape_string to remove sql injection? It tends to remove my text formatting such as bullets and tabs which I have copy pasted into the textarea.

I'm using wysiwyg for an online texteditor. I'm not sure if it's safe already.

[NogDog]

When used as intended, mysql_real_escape_string() does not change any text that gets saved in the database. All it does is "escape" certain characters that would otherwise have special meaning in SQL. The escaping character (a back-slash) never actually makes it into the data, so if your data is being modified in some way, it is likely due to something else (such as the dreaded "magic_quotes_gpc" setting), or the way you are later outputting the data after retrieving it from the database. (Note that the preceding may not hold true if using mysql_real_escape_string() with a DBMS other than MySQL.)

[sc_king]

Do you know if wysiwyj text editor is secure for sql injection and other security risks?

[NogDog]

I do not "know", but I highly doubt it. I strongly suggest you read Essential PHP Security. (It's available at that site as an E-book if you don't want to spend the money on the paper version.) Also spend a little time carefully reading the PHP manual pages about SQL Injection, mysql_real_escape_string(), and "magic quotes".

[sc_king]

Thanks!