Why do a lot of people use both these functions on a string?
I see a lot of stripslashes(strip_tags($field)); (or the other way around)
Isn't strip_tags enough to filter any xss stuff and such things?
views:
45answers:
5
+2
A:
When magic quotes is on it will automatically escape quotes in all of the POST, GET, etc. variables. stripslashes removes those before you use the data. Strip tags tries to remove all of the html tags.
GWW
2010-10-29 20:31:37
+3
A:
Isn't strip_tags enough to filter any xss stuff and such things?
Nope. The only safe way to filter out XSS stuff is htmlspecialchars(), although I see many recommendations to use strip_tags() in addition.
See e.g. discussion in this question: Is preventing XSS and SQL Injection as easy as does this…
What the stripslashes is supposed to do in this context, I have no idea. It is probably an attempt to undo the effects of the now-deprecated magic quotes function - but this should never be applied without checking first whether that particular function is enabled.
Pekka
2010-10-29 20:32:44
A:
stripslashes() is normally used for servers that have Magic Quotes enabled. Since Magic Quotes is deprecated (and not recommended) what you are probably looking for is addslashes(), which is to prevent SQL injections. For example, if your SQL statement reads:
SELECT * FROM users WHERE username='$username' AND password = '$password'
without addslashes(), one can do a SQL Injection by setting the username to:
admin'--
So in another words, addslashes() - or better yet, mysql_real_escape_string() - is to prevent SQL injection, while strip_tags() is to prevent XSS injection.
jusunlee
2010-10-29 20:51:13
@jusunlee you are probably referring to `addslashes()`. But that must never, ever be used to sanitize a SQL statement. Always use the database wrapper's native escape function, for the `mysql_*` functions, as you say, that is `mysql_real_escape_string()`.
Pekka
2010-10-29 21:15:33
`stripslashes` doesn't do this at all, and has nothing to do with preparing data for a database...
meagar
2010-10-29 21:20:05
sorry, got confused there a moment. (sheepish grin) fixed!
jusunlee
2010-10-29 22:12:55
+1
A:
Escaping data has nothing to do with strip_tags or stripslashes. These functions filter certain characters out of a string while "escaping" encodes certain characters so they won't be interpreted by a browser or database.
You can use strip_tags to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through strip_tags if you use htmlspecialchars to escape any characters that could delimit tags when you send the data back to the browser.
stripslashes removes slashes from a string, and you only need to worry about it if "magic quotes" are enabled. It's a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn't be trusted to escape the database themselves.
meagar
2010-10-29 21:16:56
+1
A:
strip_tags() usually isn't enough to prevent XSS attacks on it's own, so it's best to err on the side of caution.
Consider the following:
$str = "' onclick='javascript:alert(0);' alt='";
echo "<a href='". strip_tags($str) ."'></a>";
// output is <a href='' onclick='javascript:alert(0);' alt=''></a>
One doesn't always need HTML tags to execute an XSS attack. It may be a less effective attack, but it's still a potential attack vector nonetheless.
GigaWatt
2010-10-29 21:20:05