Page 1 of 1
question about strip_tags
Posted: Fri May 05, 2006 10:29 am
by seodevhead
I have a quick question regarding the use of the strip_tags() function...
When I output database data to the browser, I have usually done it like so:
Code: Select all
echo stripslashes(htmlentities($db_output));
Would it be advisable to also add the strip_tags function to this output? I don't want any php/html in the output, but I wasnt sure if this function is necessary since I already use htmlentities. Interested in what you guys would advise. Thanks for your help.
Posted: Fri May 05, 2006 10:42 am
by feyd
strip_tags() won't remove anything if it's done after htmlentities()
Posted: Fri May 05, 2006 11:02 am
by seodevhead
So the only real use for the strip_tags() function is when you allow people to post HTML but don't want them to post PHP?
Posted: Fri May 05, 2006 11:11 am
by s.dot
No.
Strip_tags() does what it says. It attempts to strip html tags out of text. So if you had <b>hi</b> and used strip tags on it it would just come out as 'hi'.
If you've run html_entities() on some text, then the tags have been turned into their entity text of < and >. When strip_tags() goes to strip the tags, there aren't any to strip!
Posted: Fri May 05, 2006 11:21 am
by Maugrim_The_Reaper
htmlentities() will take special characters, quotes (see ENT_QUOTES option), and such - including the characters used to create tags for HTML, and turn them all into entities. Entities are not parsed by the browser - it displays their decoded literal values. I.e. it will print <b> when entitised to <b> on screen rather than rendering it as an opening bold tag.
strip_tags() attempts to remove all html tags from the string value it is passed, unless a list of tags to ignore is specified. So, it can be used in a system to allow only a small number of tags to be used. However you shouldn't rely on it completely. For starters it can still allow javascript to be injected within attributes to allowed tags leading to XSS exploits... You should google and read up on using strip_tags() in conjunction with other measures.