#33275 [Opn->Bgs]: strip_tags() strips everything after "<="

derick Wed, 08 Jun 2005 06:39:37 -0700

 ID:               33275
 Updated by:       [EMAIL PROTECTED]
 Reported By:      slawek at truxe dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Strings related
 Operating System: Windows 2003 Server
 PHP Version:      4.3.11
 New Comment:


Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Why are you running strip tags on SQL anyway? :)


Previous Comments:
------------------------------------------------------------------------

[2005-06-08 15:14:01] nick dot telford at gmail dot com

Not really much of a bug, strip_tags() simply strips everything between
a pair of angle brackets. It's not designed to be an incredibly
intelligent function.

For your case, where you wish to strip tags out of input to an SQL
query, simply do something like this.

$sql = "SELECT something FROM table WHERE field <= " .
strip_tags($number);

A glance over the Database Security pages in the PHP docs might prove
beneficial: www.php.net/security.database

------------------------------------------------------------------------

[2005-06-08 13:55:46] slawek at truxe dot com

Description:
------------
// strip_tags() strips everything after "<="
// strings like >= not affected
<?
$anyvalue = 10 ;
$sql_query = "select * from anytable where anycolumn <= '" . $anyvalue
. "'";

//after that
$sql_query = strip_tags($sql_query);
?>

// result of print $sql_query;
select * from anytable where anycolumn 

// should be 
select * from anytable where anycolumn <= '10'


Reproduce code:
---------------
// strip_tags() strips everything after "<="
// strings like >= not affected
<?
$anyvalue = 10 ;
$sql_query = "select * from anytable where anycolumn <= '" . $anyvalue
. "'";

//after that
$sql_query = strip_tags($sql_query);
print $sql_query;
?>

Expected result:
----------------
select * from anytable where anycolumn <= '10'

Actual result:
--------------
select * from anytable where anycolumn 


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=33275&edit=1

#33275 [Opn->Bgs]: strip_tags() strips everything after "<="

Reply via email to