Posted by: phillipnb | April 8, 2013

Analysing strip_tags() and mysql_real_escape_string()

Security threats to applications written in PHP is nothing new. It is difficult to thwart every attack or plug every loophole in your php code. A skilled developer will try to plug most of these security holes or try to strengthen the security of the application as much as possible. Here are two such options by which you can defend an attack on your application.

As a developer, one of the things that we want to secure in PHP application will be the security of our html forms when a user submits input. Basically, we want to strip the user input of all html tags. PHP does have a built-in function to handle this called strip_tags($string, $tags_to_ignore). As you can see, the function strip_tags has two parameters – the first one is of type string, the string that contains the user input that needs to be stripped of all html tags. The second parameter is where you specify what tags need to be ignored while the user input is stripped of all html tags. If we do not specify the second parameter then strip_tags will remove all tags. So, use this wonderful feature from PHP and get rid of all tags which is not necessary so that a rogue user will not spring surprises by using your html form.

The second function that I want to talk about is mysql_real_escape_string(). This function is used to escape special characters in a SQL statement. Some developers consider this function as a way to sanitize the input before using it in a sql statement while others do not think this as a sanitizing function. If this function is not used to escape data before applying the data to sql then the query is vulnerable to sql injection attacks. Though we may think this as a fantastic function but be aware that this function has a few limitations like: a). A mysql connection is required before using this function else an error will be generated and a boolean false will be returned b). mysql_real_escape_string() does not escape % and underscore. And a final warning – mysql_real_escape_string() is for strings and not for integers.

So, input filtering and output escaping are both vital for the security of your php code. In addition to the above there are many other built-in functions in php for sanitizing input like filter_has_var(), filter_id(), filter_input_array() etc Using functions like htmlspecialchars(), escapeshellcmd(), escapeshellarg(), php developers can make their php application more secure.



  1. I drop a leave a response when I like a post on a site or I have something to
    valuable to contribute to the discussion. It is a result of the sincerness displayed in the article I browsed.
    And after this article Analysing strip_tags() and mysql_real_escape_string() | My Experience with PHP.
    I was actually moved enough to drop a thought 🙂 I actually do have a
    couple of questions for you if you do not mind.
    Is it only me or do some of these responses
    look as if they are written by brain dead people? 😛
    And, if you are writing at other online sites, I’d like to keep up with you. Could you list the complete urls of all your communal sites like your Facebook page, twitter feed, or linkedin profile?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: