On Aug 12, 2008, at 2:10 PM, Andrew Ballard wrote:
On Tue, Aug 12, 2008 at 2:47 PM, Philip Thompson <philthathril@xxxxxxxxx
> wrote:
Hi all.
If you are sanitizing _POST input for a database by escaping (via
mysql_*),
is there a reason to use strip_tags()? If so, why and could you
provide an
example?
Thanks,
~Philip
The database won't care whether the content includes HTML tags. So, in
that sense, there isn't a reason.
However, there are other reasons. For one, often the contents are
rendered in a web browser and you may not want the full array of HTML
tags to appear in the generated source code either for security
reasons or for aesthetics. Another is that a lot of times HTML code
can have tag bloat. Unnecessary tags reduce the amount of actual
content you can store in a limited character column even though they
may contribute little useful formatting.
I think it's a good idea to decide exactly what HTML tags you want to
allow. Then you have a few options with what you do with tags you
don't want, such as stripping them out using strip_tags() with the
optional parameter to allow those tags, or escaping the rest of the
text with htmlspecialchars(). If you strip the tags out, it makes
sense to do this before you save the value so they only need to be
stripped out once.
Andrew
Thanks Andrew and Richard. I have another question which I can't seem
to find in the manual.
Will strip_tags() only strip known HTML tags or will it just strip
anything within < and >? I have some encrypted data that may contain <
and >, and I don't want strip_tags() to remove the characters in this
encrypted string.
<DÔý€>û¥63Âôà ×¼7
So, from this, I don't want "<DÔý€>" removed. Obviously,
this isn't a standard HTML tag. Thoughts?
Thanks,
~Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
