PHP :: Bug #33275 :: strip_tags() strips everything after "<="

Bug #33275	strip_tags() strips everything after "<="
Submitted:	2005-06-08 13:55 UTC	Modified:	2005-06-08 16:04 UTC
From:	slawek at truxe dot com	Assigned:
Status:	Not a bug	Package:	Strings related
PHP Version:	4.3.11	OS:	Windows 2003 Server
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2005-06-08 13:55 UTC] slawek at truxe dot com

Description:
------------
// strip_tags() strips everything after "<="
// strings like >= not affected
<?
$anyvalue = 10 ;
$sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'";

//after that
$sql_query = strip_tags($sql_query);
?>

// result of print $sql_query;
select * from anytable where anycolumn 

// should be 
select * from anytable where anycolumn <= '10'


Reproduce code:
---------------
// strip_tags() strips everything after "<="
// strings like >= not affected
<?
$anyvalue = 10 ;
$sql_query = "select * from anytable where anycolumn <= '" . $anyvalue . "'";

//after that
$sql_query = strip_tags($sql_query);
print $sql_query;
?>

Expected result:
----------------
select * from anytable where anycolumn <= '10'

Actual result:
--------------
select * from anytable where anycolumn

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-06-08 15:14 UTC] nick dot telford at gmail dot com

Not really much of a bug, strip_tags() simply strips everything between a pair of angle brackets. It's not designed to be an incredibly intelligent function.

For your case, where you wish to strip tags out of input to an SQL query, simply do something like this.

$sql = "SELECT something FROM table WHERE field <= " . strip_tags($number);

A glance over the Database Security pages in the PHP docs might prove beneficial: www.php.net/security.database

[2005-06-08 15:37 UTC] derick@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Why are you running strip tags on SQL anyway? :)

[2005-06-08 15:49 UTC] slawek at truxe dot com

Yes, but in manual states that strip_trags() wipes everything between html comment tags (forced&silently), and I assume that everything else can be set as "string allowable_tags".
Html comments looks like "<!--" as we now, and "<=" does not, but it was stripped out even than i was set it in "string allowable_tags".
That situation are not described precisely in manual page. Maybe it must be described more precise in manual page even if it is designed to "...strips everything between
a pair of angle brackets...".

cheers
Slawek

[2005-06-08 15:56 UTC] rasmus@php.net

That's not what the manual says actually.  It says it *also* strips HTML comments.  And below that it says,

 "Because strip_tags() does not actually validate the HTML, partial, or broken tags can result in the removal of more text/data than expected."

So I would say the behaviour you are reporting is documented.

[2005-06-08 16:04 UTC] slawek at truxe dot com

That's right, You ascertain me. 
But I think that "...strips everything between
a pair of angle brackets..." tells little bit more than "... also broken broken tags...".
Thanks for attention and engagement.

Slawek

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat May 04 08:01:29 2024 UTC