On Aug 12, 2008, at 2:01 PM, Richard Heyes wrote:
If you are sanitizing _POST input for a database by escaping (via
mysql_*),
is there a reason to use strip_tags()? If so, why and could you
provide an
example?
Not really, as long as you're using something like
mysql_real_escape_string(). Though if you're redisplaying it to your
users (ie something like a forum) then you might want to use
strip_tags() to get rid of any HTML.
Actually, yes, the data is likely to be redisplayed to the users on a
website. However, when shoving the data to the browser, I use
htmlentities(). Is it recommended to use strip_tags() before sending
to htmlentities()?
~Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php