On Aug 12, 2008, at 4:11 PM, Andrew Ballard wrote:
On Tue, Aug 12, 2008 at 4:53 PM, Philip Thompson <philthathril@xxxxxxxxx
> wrote:
On Aug 12, 2008, at 2:10 PM, Andrew Ballard wrote:
On Tue, Aug 12, 2008 at 2:47 PM, Philip Thompson <philthathril@xxxxxxxxx
>
wrote:
Hi all.
If you are sanitizing _POST input for a database by escaping (via
mysql_*),
is there a reason to use strip_tags()? If so, why and could you
provide
an
example?
Thanks,
~Philip
The database won't care whether the content includes HTML tags.
So, in
that sense, there isn't a reason.
However, there are other reasons. For one, often the contents are
rendered in a web browser and you may not want the full array of
HTML
tags to appear in the generated source code either for security
reasons or for aesthetics. Another is that a lot of times HTML code
can have tag bloat. Unnecessary tags reduce the amount of actual
content you can store in a limited character column even though they
may contribute little useful formatting.
I think it's a good idea to decide exactly what HTML tags you want
to
allow. Then you have a few options with what you do with tags you
don't want, such as stripping them out using strip_tags() with the
optional parameter to allow those tags, or escaping the rest of the
text with htmlspecialchars(). If you strip the tags out, it makes
sense to do this before you save the value so they only need to be
stripped out once.
Andrew
Thanks Andrew and Richard. I have another question which I can't
seem to
find in the manual.
Will strip_tags() only strip known HTML tags or will it just strip
anything
within < and >? I have some encrypted data that may contain < and
>, and I
don't want strip_tags() to remove the characters in this encrypted
string.
<DÃ"ý€>û¥63 ôà ×¼7
So, from this, I don't want "<DÃ"ý€>" removed. Obviously, this
isn't a
standard HTML tag. Thoughts?
Thanks,
~Philip
Try it and see, but it looks like the answer is "it depends". I ran
your message text through strip_tags and it seems to remove the
greater-than signs when followed by non-whitespace characters, but
left them when they were surrounded by whitespace. Compare below to
your original message:
[---snip---]
Thanks Andrew and Richard. I have another question which I can't seem
to find in the manual.
Will strip_tags() only strip known HTML tags or will it just strip
anything within < and >? I have some encrypted data that may contain <
and >, and I don't want strip_tags() to remove the characters in this
encrypted string.
û¥63 ôà ×¼7
So, from this, I don't want "" removed. Obviously, this isn't a
standard HTML tag. Thoughts?
[---snip---]
Andrew
I did a similar test:
<?php
$strs = array(
"<DÃý€>____û¥63 ôà ×¼7",
"<DÃý€____û¥63 ôà ×¼7",
"< DÃý€ >û¥63 ôà ×¼7",
"<p>How are you doing?</p>",
);
echo "<pre>\nstr:\n";
foreach ($strs as $i => $str) {
echo "$i => ". htmlentities ($str) . "\n";
}
echo "\nstripped:\n";
foreach ($strs as $i => $str) {
echo "$i => ". htmlentities (strip_tags($str)) . "\n";
}
echo "</pre>\n";
?>
The output from this was:
str:
0 => <DÃý€>____û¥63 ôà ×¼7
1 => <DÃý€____û¥63 ôà ×¼7
2 => < DÃý€ >û¥63 ôà ×¼7
3 => <p>How are you doing?</p>
stripped:
0 => ____û¥63 ôà ×¼7
1 =>
2 => < DÃý€ >û¥63 ôà ×¼7
3 => How are you doing?
----------------
Notice how stripped[1] is empty. This occurred when I removed the
closing >. I find this to be a bit odd. Oh well. Maybe a bug or feature?
Nonetheless, I test if it is an encrypted string, then don't call
strip_tags() on it. Otherwise, do. This seems like it will work well.
Thanks for the input!
~Philip
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php