Why do a lot of people use both these functions on a string? I see a lot of <code>stripslashes(strip_tags($field));</code> (or the other way around) Isn't <code>strip_tags</code> enough to filter any xss stuff and such things?

Escaping data has nothing to do with <code>strip_tags</code> or <code>stripslashes</code>. These functions filter certain characters out of a string while "escaping" encodes certain characters so they won't be interpreted by a browser or database. You can use <code>strip_tags</code> to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through <code>strip_tags</code> if you use <code>htmlspecialchars</code> to escape any characters that could delimit tags when you send the data back to the browser. <code>stripslashes</code> removes slashes from a string, and you only need to worry about it if "magic quotes" are enabled. It's a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn't be trusted to escape the database themselves.

Escaping data - stripslashes, strip

Why do a lot of people use both these functions on a string? I see a lot of stripslashes(strip_tags($field)); (or the other way around)

Isn't strip_tags enough to filter any xss stuff and such things?

What does Stripslashes mean in PHP?

The stripslashes() function removes backslashes added by the addslashes() function. Tip: This function can be used to clean up data retrieved from a database or from an HTML form.

Is it possible to remove the HTML tags from data?

PHP provides an inbuilt function to remove the HTML tags from the data. The strip_tags() function is an inbuilt function in PHP that removes the strings form HTML, XML and PHP tags. It accepts two parameters. This function returns a string with all NULL bytes, HTML, and PHP tags stripped from a given $str.

Isn't strip_tags enough to filter any xss stuff and such things?

Nope. The only safe way to filter out XSS stuff is htmlspecialchars(), although I see many recommendations to use strip_tags() in addition.

See e.g. discussion in this question: Is preventing XSS and SQL Injection as easy as does this…

What the stripslashes is supposed to do in this context, I have no idea. It is probably an attempt to undo the effects of the now-deprecated magic quotes function - but this should never be applied without checking first whether that particular function is enabled.

Escaping data has nothing to do with strip_tags or stripslashes. These functions filter certain characters out of a string while "escaping" encodes certain characters so they won't be interpreted by a browser or database.

You can use strip_tags to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through strip_tags if you use htmlspecialchars to escape any characters that could delimit tags when you send the data back to the browser.

stripslashes removes slashes from a string, and you only need to worry about it if "magic quotes" are enabled. It's a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn't be trusted to escape the database themselves.

Escaping data - stripslashes, strip_tags

Tags:

html

php

escaping

Alex

People also ask

2 Answers

Pekka

meagar

Recent Activity

Donate For Us