Op 3/14/10 11:45 AM, Ashley Sheridan schreef: > On Sun, 2010-03-14 at 12:25 +0100, Rene Veerman wrote: > >> On Sun, Mar 14, 2010 at 12:24 PM, Rene Veerman <rene7705@xxxxxxxxx> wrote: >>> >>> I'd love to have a copy of whatever function you use to filter out bad >>> HTML/js/flash for use cases where users are allowed to enter html. >>> I'm aware of strip_tags() "allowed tags" param, but haven't got a good list >>> for it. >>> >> >> oh, and even <img> tags can be used for cookie-stuffing on many browsers.. >> > > > Yes, and you call strip_tags() before the data goes to the browser for > display, not before it gets inserted into the database. Essentially, you > need to keep as much original information as possible. I disagree with both you. I'm like that :) let's assume we're not talking about data that is allowed to contain HTML, in such cases I would do a strip_tags() on the incoming data then compare the output ofstrip_tags() to the original input ... if they don't match then I would log the problem and refuse to input the data at all. using strip_tags() on a piece of data everytime you output it if you know that it shouldn't contain any in the first is a waste of resources ... this does assume that you can trust the data source ... which in the case of a database that you control should be the case. at any rate, strip_tags() doesn't belong in an 'anti-sql-injection' routine as it has nothing to do with sql injection at all. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
