Home/ Questions/Q 6958771
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T15:11:02+00:00

I am truing to filter html characters out like this $user = $_POST[user]; //Get

  • 0

I am truing to filter html characters out like this

$user = $_POST["user"]; //Get username from <form>
mysql_real_escape_string($user); //Against SQL injection
strip_tags($user); //Filter html characters out

But for some reason this is not filtering html characters out. I don’t know why, could it by mysql_real_escape_string?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    …But, do you mean:

    $user = $_POST["user"]; // Get username from <form>
$user = mysql_real_escape_string($user); // Against SQL injection
$user = strip_tags($user); // Filter html characters out

    ?

    As said in the other answers (referring to strip_tags(), but it’s the same for mysql_real_escape_string()), these functions do not alter strings directly, but return the modified copy. So you have to assign return values to the same (or another) variable!

    • 0