[naissa]

I'm deciding whether to use strip_tags or htmlspecialtags when processing input into the mysql database.

What is the upsides/downsides of using each? I want people to enter text without html/php tags.

Also when should we use stripslashes? Before entering input into a database or after retrieving input from a database?

Thanks!

[Kelvin]

Use strip_tags, it actually removes the tags from the string.

Htmlspecialchars converts charactors used in html (such as <> etc) into their text equivilant, i.e. < gets converted to "&lt;" and > to "&gt;".

Run this code, it'll show you the effects:

PHP Code:

<?php



$test_string = "<br>So Here Are...<br>";



echo "You should see no tags: " . strip_tags($test_string);

echo "<br>";  

echo "You should see the tags represented as code: " . htmlentities($test_string);

?>

[naissa]

Thanks!

Also,

Also when should we use stripslashes? Before entering input into a database or after retrieving input from a database?

[Keyne]

Before entering input, I think. But in some cases you'll need after.

[Nico]

If you have magic quotes gpc enabled, PHP will automatically escape all quotes by putting a backslash in front of them. To remove them you can use stripslashes(). It's however rarely used nowadays...

www.php.net/stripslashes

[heath]

What is rarely used nowadays... stripslashes?

[naissa]

stripslashes is rarely used nowadays. Question - What functions should one use for input? To make sure input safe.

[Nico]

That depends on what you want to do with it.

[dustin56]

Using either addslashes() or having magic_quotes_gpc on, in combination with strip_tags() *should* make the data safe to insert into a database. But really, you should be using regular expressions to check the data submitted by forms to ensure that it
1.) does not contain malicious code
2.) matches the data type of the database field into which it will be inserted
3.) meets any other specific requirements of the application

You can always checkout PEAR. There are some pretty decent form handlers available that could save you some time.

[curbview.com]

Quote:

Originally Posted by dustin56

Using either addslashes() or having magic_quotes_gpc on, in combination with strip_tags() *should* make the data safe to insert into a database. But really, you should be using regular expressions to check the data submitted by forms to ensure that it
1.) does not contain malicious code
2.) matches the data type of the database field into which it will be inserted
3.) meets any other specific requirements of the application

You can always checkout PEAR. There are some pretty decent form handlers available that could save you some time.

Does any of that prevent Cross Site Scripting type injections? NO. The best thing to do is use a regex to only allow chars that are acceptable.