On Tue, Aug 12, 2008 at 4:53 PM, Philip Thompson <[EMAIL PROTECTED]> wrote: > On Aug 12, 2008, at 2:10 PM, Andrew Ballard wrote: > >> On Tue, Aug 12, 2008 at 2:47 PM, Philip Thompson <[EMAIL PROTECTED]> >> wrote: >>> >>> Hi all. >>> >>> If you are sanitizing _POST input for a database by escaping (via >>> mysql_*), >>> is there a reason to use strip_tags()? If so, why and could you provide >>> an >>> example? >>> >>> Thanks, >>> ~Philip >>> >> >> The database won't care whether the content includes HTML tags. So, in >> that sense, there isn't a reason. >> >> However, there are other reasons. For one, often the contents are >> rendered in a web browser and you may not want the full array of HTML >> tags to appear in the generated source code either for security >> reasons or for aesthetics. Another is that a lot of times HTML code >> can have tag bloat. Unnecessary tags reduce the amount of actual >> content you can store in a limited character column even though they >> may contribute little useful formatting. >> >> I think it's a good idea to decide exactly what HTML tags you want to >> allow. Then you have a few options with what you do with tags you >> don't want, such as stripping them out using strip_tags() with the >> optional parameter to allow those tags, or escaping the rest of the >> text with htmlspecialchars(). If you strip the tags out, it makes >> sense to do this before you save the value so they only need to be >> stripped out once. >> >> >> Andrew > > Thanks Andrew and Richard. I have another question which I can't seem to > find in the manual. > > Will strip_tags() only strip known HTML tags or will it just strip anything > within < and >? I have some encrypted data that may contain < and >, and I > don't want strip_tags() to remove the characters in this encrypted string. > > <DÃ"ý€>û¥63 ôà ×¼7 > > So, from this, I don't want "<DÃ"ý€>" removed. Obviously, this isn't a > standard HTML tag. Thoughts? > > Thanks, > ~Philip
Try it and see, but it looks like the answer is "it depends". I ran your message text through strip_tags and it seems to remove the greater-than signs when followed by non-whitespace characters, but left them when they were surrounded by whitespace. Compare below to your original message: [---snip---] Thanks Andrew and Richard. I have another question which I can't seem to find in the manual. Will strip_tags() only strip known HTML tags or will it just strip anything within < and >? I have some encrypted data that may contain < and >, and I don't want strip_tags() to remove the characters in this encrypted string. û¥63 ôà ×¼7 So, from this, I don't want "" removed. Obviously, this isn't a standard HTML tag. Thoughts? [---snip---] Andrew
