ID: 33275 Comment by: nick dot telford at gmail dot com Reported By: slawek at truxe dot com Status: Open Bug Type: Strings related Operating System: Windows 2003 Server PHP Version: 4.3.11 New Comment:
Not really much of a bug, strip_tags() simply strips everything between a pair of angle brackets. It's not designed to be an incredibly intelligent function. For your case, where you wish to strip tags out of input to an SQL query, simply do something like this. $sql = "SELECT something FROM table WHERE field <= " . strip_tags($number); A glance over the Database Security pages in the PHP docs might prove beneficial: www.php.net/security.database Previous Comments: ------------------------------------------------------------------------ [2005-06-08 13:55:46] slawek at truxe dot com Description: ------------ // strip_tags() strips everything after "<=" // strings like >= not affected <? $anyvalue = 10 ; $sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'"; //after that $sql_query = strip_tags($sql_query); ?> // result of print $sql_query; select * from anytable where anycolumn // should be select * from anytable where anycolumn <= '10' Reproduce code: --------------- // strip_tags() strips everything after "<=" // strings like >= not affected <? $anyvalue = 10 ; $sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'"; //after that $sql_query = strip_tags($sql_query); print $sql_query; ?> Expected result: ---------------- select * from anytable where anycolumn <= '10' Actual result: -------------- select * from anytable where anycolumn ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33275&edit=1
