Escaping data - stripslashes, strip_tags

Question

Why do a lot of people use both these functions on a string? I see a lot of stripslashes(strip_tags($field)); (or the other way around)

Isn't strip_tags enough to filter any xss stuff and such things?

Answer 1

Isn't strip_tags enough to filter any xss stuff and such things?

Nope. The only safe way to filter out XSS stuff is htmlspecialchars(), although I see many recommendations to use strip_tags() in addition.

See e.g. discussion in this question: Is preventing XSS and SQL Injection as easy as does this…

What the stripslashes is supposed to do in this context, I have no idea. It is probably an attempt to undo the effects of the now-deprecated magic quotes function - but this should never be applied without checking first whether that particular function is enabled.

Answer 2

Escaping data has nothing to do with strip_tags or stripslashes. These functions filter certain characters out of a string while "escaping" encodes certain characters so they won't be interpreted by a browser or database.

You can use strip_tags to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through strip_tags if you use htmlspecialchars to escape any characters that could delimit tags when you send the data back to the browser.

stripslashes removes slashes from a string, and you only need to worry about it if "magic quotes" are enabled. It's a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn't be trusted to escape the database themselves.