On Wednesday, 28 June 2017 at 19:14:19 UTC, aberba wrote:
I'm already using prepared statements thoroughly. strip_tags() has its own uses beside making it safe for db storage.
prepared statements fight sql injection at save time. HTML encoding is about fighting XSS when displaying stuff to the browser.
XSS is when some user inserts a script on your site that another user then sees and executes as them.
Personally, I'd never use a strip_tags function. I'd actually parse the html, work on a dom level, then reoutput it with proper encoding for whatever context it is being used in.
