Why do a lot of people use both these functions on a string?
I see a lot of stripslashes(strip_tags($field));
(or the other way around)
Isn't strip_tags
enough to filter any xss stuff and such things?
The stripslashes() function removes backslashes added by the addslashes() function. Tip: This function can be used to clean up data retrieved from a database or from an HTML form.
PHP provides an inbuilt function to remove the HTML tags from the data. The strip_tags() function is an inbuilt function in PHP that removes the strings form HTML, XML and PHP tags. It accepts two parameters. This function returns a string with all NULL bytes, HTML, and PHP tags stripped from a given $str.
Isn't strip_tags enough to filter any xss stuff and such things?
Nope. The only safe way to filter out XSS stuff is htmlspecialchars()
, although I see many recommendations to use strip_tags()
in addition.
See e.g. discussion in this question: Is preventing XSS and SQL Injection as easy as does this…
What the stripslashes
is supposed to do in this context, I have no idea. It is probably an attempt to undo the effects of the now-deprecated magic quotes function - but this should never be applied without checking first whether that particular function is enabled.
Escaping data has nothing to do with strip_tags
or stripslashes
. These functions filter certain characters out of a string while "escaping" encodes certain characters so they won't be interpreted by a browser or database.
You can use strip_tags
to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through strip_tags
if you use htmlspecialchars
to escape any characters that could delimit tags when you send the data back to the browser.
stripslashes
removes slashes from a string, and you only need to worry about it if "magic quotes" are enabled. It's a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn't be trusted to escape the database themselves.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With