I'm using mysql_real_escape_string() and Htmlspecialchars() functions in my PHP code to make it secure against sql-injection and XSS.
Is there any possibility to hack these functions?
If yes, can you describe how it can be done so that I can improve my code.
Thank you very much.
If your PHP is updated try to use mysqli or PDO and prepared statements
But to answer your question, YES mysql_real_escape_string() can be injected, but it's very complicated to do so. Here's a example