Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Posts
    219
    Thanks
    25
    Thanked 1 Time in 1 Post

    mysql_real_escape and/or strip_tags ?

    Let's say I want to write content from a form (textarea in this case) to a database.

    I'm allready using mysql_real_escape_string to prevent some hacking. Is it necessary to use strip_tags(trim()) as well on the textarea?

    I'm not sure if they do the same.

  • #2
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,439
    Thanks
    62
    Thanked 537 Times in 524 Posts
    Quote Originally Posted by docock View Post
    I'm not sure if they do the same.
    No they don't.

    strip_tags() will remove html tags and javascript tags.

    mysql_real_escape_string() will put a \ before all characters that could be dangerous / end & restart a SQL statement.

    Both can be used for security however they serve entirely different purposes.

    You would use mysql_real_escape_string() to protect your sql statement so that an attacker can't inject their own commands into your sql statement.

    You would use strip_tags() if you don't want your users to inject html / javascript into your pages. EG say you have a guestbook, you don't want them inserting a javascript in their comment that will launch an xss attack against another site. You would therefore use strip_tags() to remove any <javascript></javascript> tags. The same applies for html tags (which could be used to load up a flash object which could also do things like opening your upnp ports). Whether you use strip_tags before database insertion or after reading from it but before putting into the page is down to you but it won't protect the database itself, just the webpage that displays the content.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • Users who have thanked tangoforce for this post:

    docock (05-24-2013)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •