Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Would it be advisable to also add the strip_tags function to this output? I don't want any php/html in the output, but I wasnt sure if this function is necessary since I already use htmlentities. Interested in what you guys would advise. Thanks for your help.
Strip_tags() does what it says. It attempts to strip html tags out of text. So if you had <b>hi</b> and used strip tags on it it would just come out as 'hi'.
If you've run html_entities() on some text, then the tags have been turned into their entity text of < and >. When strip_tags() goes to strip the tags, there aren't any to strip!
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
htmlentities() will take special characters, quotes (see ENT_QUOTES option), and such - including the characters used to create tags for HTML, and turn them all into entities. Entities are not parsed by the browser - it displays their decoded literal values. I.e. it will print <b> when entitised to <b> on screen rather than rendering it as an opening bold tag.
strip_tags() attempts to remove all html tags from the string value it is passed, unless a list of tags to ignore is specified. So, it can be used in a system to allow only a small number of tags to be used. However you shouldn't rely on it completely. For starters it can still allow javascript to be injected within attributes to allowed tags leading to XSS exploits... You should google and read up on using strip_tags() in conjunction with other measures.