Geek Answers Handbook

Data Exception - stripslashes, strip_tags

Why do many people use both of these functions in a string? I see a lot of stripslashes(strip_tags($field)); (or vice versa)

No strip_tags enough to filter out any xss stuff and such things?

+7
html php escaping
source share
6 answers

Shielding data has nothing to do with strip_tags or stripslashes . These functions filter certain characters from the string, while escaping encodes specific characters, so they will not be interpreted by the browser or the database.

You can use strip_tags to remove HTML tags in lines sent to PHP from a browser. However, you can also safely store the same data without passing them through strip_tags if you use htmlspecialchars to remove any characters that may delimit tags when sending data back to the browser.

stripslashes removes slashes from a string, and you only need to worry about it if "magic quotes" are included. This is a delay from an earlier time when the PHP developers naively believed that every piece of data coming from the browser was intended for the database, and the developers were unable to trust to avoid the database itself.

+9
source share

Is strip_tags filtering any xss stuff and such things enough?

Nope. The only safe way to filter out XSS stuff is htmlspecialchars() , although I see a lot of recommendations for using strip_tags() .

See discussion in this question: Prevents XSS and SQL Injection as easy as it does ...

What stripslashes supposed to stripslashes in this context, I have no idea. This is probably an attempt to undo the effects of the obsolete function of quotation magic - but this should never be applied without first checking whether this particular function is enabled.

+5
source share

When magic quotes are turned on, it will automatically exit quotes in all variables POST, GET, etc. stripslashes deletes them before using data. Strip tags try to remove all html tags.

+2
source share

strip_tags() usually not enough to prevent XSS attacks on it, so itโ€™s best to go wrong with caution.

Consider the following:

 $str = "' onclick='javascript:alert(0);' alt='"; echo "<a href='". strip_tags($str) ."'></a>"; // output is <a href='' onclick='javascript:alert(0);' alt=''></a>

HTML tags are not always needed to carry out an XSS attack. This may be a less effective attack, but nevertheless it is still a potential attack vector.

+1
source share

I noticed that strip_tags () adds a backslash to quote characters. I checked and magic_quotes_gpc does NOT turn on. The OP's initial question was why some encoders surround strip_tags () with stripslashes (), and thatโ€™s why I do this because I donโ€™t want the database to store double backslashes, since I was already preparing my data, before storing them in the database.

+1
source share

stripslashes () is commonly used for servers with Magic Quotes enabled. Since Magic Quotes is deprecated (and not recommended), what you are probably looking for is addlashes (), which prevents SQL injections. For example, if your SQL statement reads:

 SELECT * FROM users WHERE username='$username' AND password = '$password'

without addlashes (), you can execute SQL Injection by setting the username:

 admin'--

So, in other words, addslashes () - or better yet, mysql_real_escape_string () is for preventing SQL injection, and strip_tags () is for preventing XSS injection.

0
source share

More articles:


All Articles