when dealing with a user loging into your system, should i use
strip_tags
to get rid of the html commands?
or should i convert the html into nonharmful stuff with
htmlspecialchars
which is more secure from an XSS attack or from any type of hacking attempt.?
strip_tags or htmlspecialchars?
Moderator: General Moderators
If you want to get rid of the html you need to use strip_tags as this removes the tags. htmlspecialchars will only convert certain chars into their code like '<' to '<'
However please don't use just strip_tags to make sure all html is gone. It can be abused as you can read in the comments of http://www.php.net/manual/en/function.strip-tags.php
However please don't use just strip_tags to make sure all html is gone. It can be abused as you can read in the comments of http://www.php.net/manual/en/function.strip-tags.php
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland