I am a bit confused on the strip_tags command. I thought that strip_tags strips all HTML and PHP coding from whatever is input. I have the following code:

<?php

$message = $_REQUEST['Message'];

echo strip_tags($message);

?>

If I enter something like the following in to the textarea box:

<p>Hello World!</p>

It will strip the <p> tags and display, "Hello World!" However, if I enter something like:

<?php
<p><font face="arial">Hello World</font></p>
?>

Then it will just display a blank page. My goal is to just strip PHP and HTML coding to try to prevent abuse. In addition, does the strip_tags command also strip javascript?

    I believe it's functioning as designed: anything between a <?php and its closing ?> tag is considered PHP code, so it is deleted as being part of the <?php...?> tag.

      OK, thanks.

      I guess then it would be best if I simply wrote coding to detect PHP and HTML and reject the input (e.g. echo a message telling them that HTML and PHP is not allowed in their message).

        Write a Reply...