strip_tags or htmlspecialchars?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

strip_tags or htmlspecialchars?

Post by Sequalit »

when dealing with a user loging into your system, should i use

strip_tags

to get rid of the html commands?

or should i convert the html into nonharmful stuff with

htmlspecialchars

which is more secure from an XSS attack or from any type of hacking attempt.?
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

If you want to get rid of the html you need to use strip_tags as this removes the tags. htmlspecialchars will only convert certain chars into their code like '<' to '<'

However please don't use just strip_tags to make sure all html is gone. It can be abused as you can read in the comments of http://www.php.net/manual/en/function.strip-tags.php
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags is also a very dumb function. If you must remove the HTML, try using the "smarter strip_tags" found in the Useful Posts thread (link in signature.)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

After using the "smarter" functions feyd mentioned - you can also use htmlentities(). It's change any remaining malformed tags (plus XSS) into literal entity values, i.e. the remaining html will get printed to screen but not as part of the html source.
Post Reply