Op 3/14/10 11:45 AM, Ashley Sheridan schreef:
> On Sun, 2010-03-14 at 12:25 +0100, Rene Veerman wrote:
>> On Sun, Mar 14, 2010 at 12:24 PM, Rene Veerman <rene7...@gmail.com> wrote:
>>> I'd love to have a copy of whatever function you use to filter out bad
>>> HTML/js/flash for use cases where users are allowed to enter html.
>>> I'm aware of strip_tags() "allowed tags" param, but haven't got a good list
>>> for it.
>> oh, and even <img> tags can be used for cookie-stuffing on many browsers..
> Yes, and you call strip_tags() before the data goes to the browser for
> display, not before it gets inserted into the database. Essentially, you
> need to keep as much original information as possible.

I disagree with both you. I'm like that :)

let's assume we're not talking about data that is allowed to contain HTML,
in such cases I would do a strip_tags() on the incoming data then compare
the output ofstrip_tags() to the original input ... if they don't match then
I would log the problem and refuse to input the data at all.

using strip_tags() on a piece of data everytime you output it if you know
that it shouldn't contain any in the first is a waste of resources ... this
does assume that you can trust the data source ... which in the case of a 
that you control should be the case.

at any rate, strip_tags() doesn't belong in an 'anti-sql-injection' routine as
it has nothing to do with sql injection at all.

> Thanks,
> Ash
> http://www.ashleysheridan.co.uk

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to