Jump to content



Recommended Posts

Hi. Just looking for info on this just to make sure im thinking correctly on this.

If say there is a code that requires to be limited to just a number entry you would place abs(int)) for example to do so. However would there be any reason for such to have strip tags or in what senorio would you need to use strip tags.

Many thx in advance.

Link to comment
Share on other sites

Re: Security!

I'm not sure when you'd want to strip php tags. I've never had an instance where user submitted content would be placed in a context that would allow it to become executable. That would just be horrible technique.

I can see needing to strip php tags if your code were being put through eval() lol.

But here's a direct quote from the guy that invented PHP:

Rasmus Lerdorf: "If eval() is the answer, you're almost certainly asking the wrong question."

That's the man right there. If Bill Gates told you you were using windows wrong, I think those words would/should carry a little bit of weight to them ;)


Now I get to the subject of XSS attacks. Those are based on html and javascript tags. It's common to take text from a user and display it on a screen for others to see.

In this scenario, you should use htmlentities() to convert html and javascript tags into html entities.

Of course there's also database injection that you have to be concerned about. So before putting the string into a db, us mysql_real_escape_string(). This can and most likely should be used in combination with htmlentities().

Link to comment
Share on other sites

Re: Security!

$something = (int) $user_input;

is basically the same as

$something = intval($user_input);

However the TC mentioned using abs();

Which just using inval() doesn't accomplish the same thing abs((int) $user_input); or abs(intval($user_input); does.


abs takes out any negative values.

Personally, I prefer to use an if statement. If something is less than 0, tell the user this input was invalid.

I know some people like to code their code to punish folks that try to cheat the game, but that also will punish folks that accidentally put in a negative. And it's not very professional to have a script do something unexpected.


for instance, if you are withdrawing -100 from your bank, you don't expect it to withdraw 100, you expect it to simply not allow it.

And it I'd also expect an error message to accompany that as well. But if it simply withdraws 100, then I'd see it as a bit unprofessional. Does your bank do that? Would pay pal do that? Nope, and neither should you. ;)

Link to comment
Share on other sites

  • 1 month later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...