On Tue, Aug 12, 2008 at 4:53 PM, Philip Thompson <philthathril@xxxxxxxxx> wrote:> On Aug 12, 2008, at 2:10 PM, Andrew Ballard wrote:>>> On Tue, Aug 12, 2008 at 2:47 PM, Philip Thompson <philthathril@xxxxxxxxx>>> wrote:>>>>>> Hi all.>>>>>> If you are sanitizing _POST input for a database by escaping (via>>> mysql_*),>>> is there a reason to use strip_tags()? If so, why and could you provide>>> an>>> example?>>>>>> Thanks,>>> ~Philip>>>>>>> The database won't care whether the content includes HTML tags. So, in>> that sense, there isn't a reason.>>>> However, there are other reasons. For one, often the contents are>> rendered in a web browser and you may not want the full array of HTML>> tags to appear in the generated source code either for security>> reasons or for aesthetics. Another is that a lot of times HTML code>> can have tag bloat. Unnecessary tags reduce the amount of actual>> content you can store in a limited character column even though they>> may contribute little useful formatting.>>>> I think it's a good idea to decide exactly what HTML tags you want to>> allow. Then you have a few options with what you do with tags you>> don't want, such as stripping them out using strip_tags() with the>> optional parameter to allow those tags, or escaping the rest of the>> text with htmlspecialchars(). If you strip the tags out, it makes>> sense to do this before you save the value so they only need to be>> stripped out once.>>>>>> Andrew>> Thanks Andrew and Richard. I have another question which I can't seem to> find in the manual.>> Will strip_tags() only strip known HTML tags or will it just strip anything> within < and >? I have some encrypted data that may contain < and >, and I> don't want strip_tags() to remove the characters in this encrypted string.>> <DÃ"ý€>û¥63 ôà ×¼7>> So, from this, I don't want "<DÃ"ý€>" removed. Obviously, this isn't a> standard HTML tag. Thoughts?>> Thanks,> ~Philip Try it and see, but it looks like the answer is "it depends". I ranyour message text through strip_tags and it seems to remove thegreater-than signs when followed by non-whitespace characters, butleft them when they were surrounded by whitespace. Compare below toyour original message: [---snip---]Thanks Andrew and Richard. I have another question which I can't seemto find in the manual. Will strip_tags() only strip known HTML tags or will it just stripanything within < and >? I have some encrypted data that may contain <and >, and I don't want strip_tags() to remove the characters in thisencrypted string. û¥63 ôà ×¼7 So, from this, I don't want "" removed. Obviously, this isn't astandard HTML tag. Thoughts?[---snip---] Andrew
