ID: 33275 Updated by: [EMAIL PROTECTED] Reported By: slawek at truxe dot com Status: Bogus Bug Type: Strings related Operating System: Windows 2003 Server PHP Version: 4.3.11 New Comment:
That's not what the manual says actually. It says it *also* strips HTML comments. And below that it says, "Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected." So I would say the behaviour you are reporting is documented. Previous Comments: ------------------------------------------------------------------------ [2005-06-08 15:49:47] slawek at truxe dot com Yes, but in manual states that strip_trags() wipes everything between html comment tags (forced&silently), and I assume that everything else can be set as "string allowable_tags". Html comments looks like "<!--" as we now, and "<=" does not, but it was stripped out even than i was set it in "string allowable_tags". That situation are not described precisely in manual page. Maybe it must be described more precise in manual page even if it is designed to "...strips everything between a pair of angle brackets...". cheers Slawek ------------------------------------------------------------------------ [2005-06-08 15:37:15] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php Why are you running strip tags on SQL anyway? :) ------------------------------------------------------------------------ [2005-06-08 15:14:01] nick dot telford at gmail dot com Not really much of a bug, strip_tags() simply strips everything between a pair of angle brackets. It's not designed to be an incredibly intelligent function. For your case, where you wish to strip tags out of input to an SQL query, simply do something like this. $sql = "SELECT something FROM table WHERE field <= " . strip_tags($number); A glance over the Database Security pages in the PHP docs might prove beneficial: www.php.net/security.database ------------------------------------------------------------------------ [2005-06-08 13:55:46] slawek at truxe dot com Description: ------------ // strip_tags() strips everything after "<=" // strings like >= not affected <? $anyvalue = 10 ; $sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'"; //after that $sql_query = strip_tags($sql_query); ?> // result of print $sql_query; select * from anytable where anycolumn // should be select * from anytable where anycolumn <= '10' Reproduce code: --------------- // strip_tags() strips everything after "<=" // strings like >= not affected <? $anyvalue = 10 ; $sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'"; //after that $sql_query = strip_tags($sql_query); print $sql_query; ?> Expected result: ---------------- select * from anytable where anycolumn <= '10' Actual result: -------------- select * from anytable where anycolumn ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33275&edit=1
