This isn't an answer to the question that was asked (I believe AbraCadaver's answer is correct), but it is an answer to the "Why doesn't strip_tags() work?" question I foresee coming next.
These function calls are out of order:
Code: Select all
$data = strip_tags(htmlspecialchars(mysql_real_escape_string($data)));
mysql_real_escape_string() should be the
last modification made to an input string before it goes into the query string.
See the difference:
Code: Select all
<?php
# strip_tags(htmlspecialchars(mysql_real_escape_string()));
var_dump(
$str = "<span>\r\n&\r\n</span>",
# string(18) "<span>
# &
# </span>"
$str = mysql_real_escape_string($str),
# string(21) "<span>\r\n&\r\n</span>"
$str = htmlspecialchars($str),
# string(38) "<span>\r\n&\r\n</span>"
$str = strip_tags($str)
# string(38) "<span>\r\n&\r\n</span>"
);
# mysql_real_escape_string(htmlspecialchars(strip_tags()))
var_dump(
$str = "<span>\r\n&\r\n</span>",
# string(18) "<span>
# &
# </span>"
$str = strip_tags($str),
# string(5) "
# &
# "
$str = htmlspecialchars($str),
# string(9) "
# &
# "
$str = mysql_real_escape_string($str)
# string(13) "\r\n&\r\n"
);
Save htmlspecialchars() for encoding strings after they are read from the database but before they are sent to output.
Code: Select all
// Pseudo-code
$sanitized_input = mysql_real_escape_string(strip_tags($raw_input));
database_insert($sanitized_input);
$decoded_output = database_select();
$encoded_output = htmlspecialchars($decoded_output);
output($encoded_output);