PHP strip_tags

 

A third security option for your HTML forms is to use the strip_tags( ) function. (See the previous lessons for why you want to do this.) It will, as its name suggests, strip all HTML for you. You can, however, tell this function to ignore HTML that you consider harmless, or that you want to include. Here's the syntax:

strip_tags( $string, html_tags_to_ignore )

So the first thing you need to provide the strip_tags( ) function with is the string of text you're trying to check. The second thing, html_tags_to_ignore, is optional. If you leave this off then the function will strip all tags. Here's two example to try:

$first_name = $_POST['first_name'];
$first_name = strip_tags( $first_name );
echo $first_name;

The new line is set up to strip all HTML from the variable called $first_name. When the script is run, it will look like this:

Using the strip_tags PHP function

As you can see, only the text of the HTML is left – A Nasty Site.

If it would be OK for people to enter things like bold text or italics, then you'd set up the function like this:

$first_name = $_POST['first_name'];
$first_name = strip_tags( $first_name, "<B>" );
echo $first_name;

 

Summary

When you have text coming from a form, you should always use a security technique to thwart an attack. However, it's naïve to think we can thwart every attack, and a determined and skilful hacker could probably defeat you. But if you take sensible security measure, you should be able to defend yourself against most attacks. It's well worth doing more research on the subject. search Google for the phrase PHP Security.

 

In the next section, we'll take a look at opening and working with files in PHP.