On Tue, Aug 12, 2008 at 2:47 PM, Philip Thompson <philthathril@xxxxxxxxx> wrote: > Hi all. > > If you are sanitizing _POST input for a database by escaping (via mysql_*), > is there a reason to use strip_tags()? If so, why and could you provide an > example? > > Thanks, > ~Philip > The database won't care whether the content includes HTML tags. So, in that sense, there isn't a reason. However, there are other reasons. For one, often the contents are rendered in a web browser and you may not want the full array of HTML tags to appear in the generated source code either for security reasons or for aesthetics. Another is that a lot of times HTML code can have tag bloat. Unnecessary tags reduce the amount of actual content you can store in a limited character column even though they may contribute little useful formatting. I think it's a good idea to decide exactly what HTML tags you want to allow. Then you have a few options with what you do with tags you don't want, such as stripping them out using strip_tags() with the optional parameter to allow those tags, or escaping the rest of the text with htmlspecialchars(). If you strip the tags out, it makes sense to do this before you save the value so they only need to be stripped out once. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
