Why do a lot of people use both these functions on a string?
I see a lot of stripslashes(strip_tags($field)); (or the other way around)
Isn’t strip_tags enough to filter any xss stuff and such things?
Advertisement
Answer
Escaping data has nothing to do with strip_tags or stripslashes. These functions filter certain characters out of a string while “escaping” encodes certain characters so they won’t be interpreted by a browser or database.
You can use strip_tags to remove HTML tags in strings being sent to PHP from the browser. Better yet, you could also safely store the same data without passing it through strip_tags if you use htmlspecialchars to escape any characters that could delimit tags when you send the data back to the browser.
stripslashes removes slashes from a string, and you only need to worry about it if “magic quotes” are enabled. It’s a hold-over from an earlier time when the PHP devs naively assumed every piece of data coming from the browser was destined for a database and that developers couldn’t be trusted to escape the database themselves.