question about strip_tags

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

question about strip_tags

Post by seodevhead »

I have a quick question regarding the use of the strip_tags() function...

When I output database data to the browser, I have usually done it like so:

Code: Select all

echo stripslashes(htmlentities($db_output));
Would it be advisable to also add the strip_tags function to this output? I don't want any php/html in the output, but I wasnt sure if this function is necessary since I already use htmlentities. Interested in what you guys would advise. Thanks for your help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags() won't remove anything if it's done after htmlentities()
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Post by seodevhead »

So the only real use for the strip_tags() function is when you allow people to post HTML but don't want them to post PHP?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

No.

Strip_tags() does what it says. It attempts to strip html tags out of text. So if you had <b>hi</b> and used strip tags on it it would just come out as 'hi'.

If you've run html_entities() on some text, then the tags have been turned into their entity text of < and >. When strip_tags() goes to strip the tags, there aren't any to strip!
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

htmlentities() will take special characters, quotes (see ENT_QUOTES option), and such - including the characters used to create tags for HTML, and turn them all into entities. Entities are not parsed by the browser - it displays their decoded literal values. I.e. it will print <b> when entitised to <b> on screen rather than rendering it as an opening bold tag.

strip_tags() attempts to remove all html tags from the string value it is passed, unless a list of tags to ignore is specified. So, it can be used in a system to allow only a small number of tags to be used. However you shouldn't rely on it completely. For starters it can still allow javascript to be injected within attributes to allowed tags leading to XSS exploits... You should google and read up on using strip_tags() in conjunction with other measures.
Post Reply