Using strip_tags

Teach

Hi there.

I am using the following SQL line:

. " values ('".$_POST['account']."','".md5($_POST['password'])."',".$noc.",'".$_POST['realname']."','".$_POST['location']."','".$_POST['email']."','".$_POST['native']."','".$_POST['other']."','".$joined."')";

Because we're taking POST data and putting it straight into the database, where it's echo'ed out elsewhere - I need to get rid of html / php tags that could cause "bad" things. Therefore, I think strip_tags is the right function.

Is there a way to strip_tags all $_POST data sent to my update.php script (which contains the following line, amongst others)?

Secondly, I have a news script which I have allowed some html code via the following:

  $show=str_replace("<","*",$cnews['body']);
  $show=str_replace(">","*",$show);
  $show=str_replace("[b]","<strong>",$show);
  $show=str_replace("[/b]","</strong>",$show);
  $show=str_replace("[i]","<i>",$show);
  $show=str_replace("[/i]","</i>",$show);
  $show=str_replace("[u]","<u>",$show);
  $show=str_replace("[/u]","</u>",$show);
  $show=str_replace("[br]","<br />",$show);
  $show=str_replace("[code]","<code>",$show);
  $show=str_replace("

","</code>",$show);
echo " <p>".$show."</p>\n";
[/code]

Would it be safer to strip_tags on that too, but just allow the html ones I need?

Any help would be appreciated with this please!

Piranha

You should not use strip tags to store in the database. There are database specific ways to do that, if you use mysql it is [man]mysql_real_escape_string[/man]. That is for database security.

If you don't want html tags to appear, then you can use [man]htmlspecialchars[/man]. Then they will be shown, but will be encoded so they are not shown as a HTML tag.