Is Strip_tags a safe function to strip malicious code? I do this treatment wherever data goes to mysql or not: 1 - Apply htmlentities to data inside code tags 2 - Strip_tags(addslashes_if_magic_quotes_gpc()) to the whole thing Do i have to take any additional measure to make it safer?
Please see this link for more information: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string Jay
It's good practice to store data as close to being raw as possible. That way anyone who has to work with it will always know what to expect, including yourself down the road. I've seen countless questions along the lines of "Why does my content come out encoded ?" which always trace back to someone encoding things which don't need to be, before storage, and then encoding them again when they come out either because they're using a new library which behaves differently, or simply forgot that data was encoded before storage. I would drop the htmlemtities call before storing it in the database, the only characters which pose a security concern for the database are quotes. mysql_real_escape_string will handle quotes, so will the PDO class with its' prepared statements. I didn't like PDO at first, but in the last year I've grown to love it. The striptags call is kinda pointless if you're htmlencoding the data first, isn't it ? htmlentities and striptags are interchangable with the one being used depending on whether you want to safely display the HTML or just remove it. In any event, I would also drop the striptags call before storing it in the database. When data is retrieved from the database, it can be prepared for where it will be displayed.
As everyone has said, encoding the HTML isn't the real worry, properly escaping quotes is. Just because older php's lack it, and because some servers use 'magic quotes' automatically adding them, I test for get_magic_quotes_gpc, if present strip slashes, then use mysql_real_escape_string to encode IF PRESENT, otherwise I call addslashes. function sanitize($str){ if (get_magic_quotes_gpc()) $str=stripslashes($str); if (function_exists('mysql_real_escape_string')) { return mysql_real_escape_string($str); } else return addslashes($str); } Code (markup): Does a good job of preventing the headache of over-encoding slashes, and provides a fallback should your code end up on a server that hasn't updated to PHP 4.3.0 or newer.