Menu
Community /Pin to ProfileBookmark
@NogDogApr 26.2011 — #Seems to work OK for me:
Output:
@NogDogApr 26.2011 — #
Works for me ? (PHP 5.2.4 on Windows 7 w/Apache 2.2.11 and MySQL 5.1.36). When I do a View Source of the output page, I get:
@NogDogApr 26.2011 — #strip_tags() doesn't know/care what you do with its return value, that's up to you. ? However, note that if you allow [i]any[/i] tags, strip_tags() does not do anything about tag attributes for any tags you allow, thus a malicious user could include stuff you don't want within the tags, e.g.:
@NogDogApr 27.2011 — #Like I said, strip_tags() doesn't know what you are planning to do with its return value, so you can use it in any situation where you desire to make use of its functionality: removing HTML-type tags from a string.
I have no idea why you are having the problem you are reporting, and I'm unable to reproduce it. Maybe it's a character set thing? Maybe it's gremlins? If worse comes to worst you could look at something likeTinyMCE for the input, using it's config options to limit what tags it will support.
[RESOLVED] Question about strip_tags
Hello all, quick question hopefully.
I’m inserting data into MySQL, one of the rows is the “description” row, in my insert file it looks like this:
[code=php]$description = mysql_real_escape_string(strip_tags($_POST[‘description’], ‘<p><i><ul><ol><li><b>’));
I am able to insert html tags, and as you all can see, it is supposed to only allow those tags listed in the variable, its my first time using strip_tags so I got curious and I inserted an h1 tag and it did pass it to the DB, isn’t this script supposed to block that h1 tag or any other tag not listed in there for that matter?
Thanks in advance for any help provided ?
Sign in
to post a comment11 Comments(s) ↴
0
@NogDogApr 26.2011 — #Seems to work OK for me:[code=php]
<?php
$test = <<<EOD
<h1>H1 Tag</h1>
<p>This is a test. It is <i>only</i> a test.</p>
<div>This here's the end.</div>
EOD;
mysql_connect('localhost', '####', '####');
$description = mysql_real_escape_string(strip_tags($test, '<p><i><ul><ol><li><b>'));
echo "<pre>".htmlspecialchars($description)."</pre>";
[/code]Output:
<i>
</i>H1 Tagn<p>This is a test. It is <i>only</i> a test.</p>nThis here's the end.
0
@NogDogApr 26.2011 — #Hey NogDog,
While trying to find out why this is not working for me I found that this does not work:
[code=php]<?php...[/QUOTE]
$test = '<h1>H1 Tag</h1><p>and a p tag</p>';
$description = mysql_real_escape_string(strip_tags($test, '<p><i><ul><ol><li><b>'));
echo $description;
?>[/code]
Works for me ? (PHP 5.2.4 on Windows 7 w/Apache 2.2.11 and MySQL 5.1.36). When I do a View Source of the output page, I get:
<i>
</i>H1 Tag<p>and a p tag</p>
0
@NogDogApr 26.2011 — #strip_tags() doesn't know/care what you do with its return value, that's up to you. ? However, note that if you allow [i]any[/i] tags, strip_tags() does not do anything about tag attributes for any tags you allow, thus a malicious user could include stuff you don't want within the tags, e.g.:<i>
</i><p onmouseover='window.open("http://example.com/");'>Hello, World.</p>
0
@NogDogApr 27.2011 — #Like I said, strip_tags() doesn't know what you are planning to do with its return value, so you can use it in any situation where you desire to make use of its functionality: removing HTML-type tags from a string.I have no idea why you are having the problem you are reporting, and I'm unable to reproduce it. Maybe it's a character set thing? Maybe it's gremlins? If worse comes to worst you could look at something like