Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Thanked 1 Time in 1 Post

    mysql_real_escape and/or strip_tags ?

    Let's say I want to write content from a form (textarea in this case) to a database.

    I'm allready using mysql_real_escape_string to prevent some hacking. Is it necessary to use strip_tags(trim()) as well on the textarea?

    I'm not sure if they do the same.

  2. #2
    Master Coder
    Join Date
    Feb 2011
    Your Monitor
    Thanked 610 Times in 596 Posts
    Quote Originally Posted by docock View Post
    I'm not sure if they do the same.
    No they don't.

    strip_tags() will remove html tags and javascript tags.

    mysql_real_escape_string() will put a \ before all characters that could be dangerous / end & restart a SQL statement.

    Both can be used for security however they serve entirely different purposes.

    You would use mysql_real_escape_string() to protect your sql statement so that an attacker can't inject their own commands into your sql statement.

    You would use strip_tags() if you don't want your users to inject html / javascript into your pages. EG say you have a guestbook, you don't want them inserting a javascript in their comment that will launch an xss attack against another site. You would therefore use strip_tags() to remove any <javascript></javascript> tags. The same applies for html tags (which could be used to load up a flash object which could also do things like opening your upnp ports). Whether you use strip_tags before database insertion or after reading from it but before putting into the page is down to you but it won't protect the database itself, just the webpage that displays the content.
    Quote Originally Posted by deathshadow View Post
    So seriously, loosen up that tie, let out the belt, and try relating to normal people on the street instead of the gentleman's club crowd.

  3. Users who have thanked tangoforce for this post:

    docock (05-24-2013)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts