Jump to content

Archived

This topic is now archived and is closed to further replies.

Demonic

Security Time :) would this work?

Recommended Posts

[code]
<?php
function no_injection($string){
if(!htmlspecialchars($string)){
$string = htmlspecialchars($string);
}
return $string;
}
?>
[/code]

would this work in any way?

Share this post


Link to post
Share on other sites
This bit makes not sense:
[code]if(!htmlspecialchars($string)){
$string = htmlspecialchars($string);
}[/code]
How will PHP know you have ran htmlspecialchars? Also this bit of code [code=php:0]$string = htmlspecialchars($string);[/code] will never be run, as PHP will run htmlspecialchars on the string being passed to the function in this bit of code:
[code=php:0]if(!htmlspecialchars($string)){[/code]. So yout function is abit of a waste.

Share this post


Link to post
Share on other sites
[code]
<?php
function no_injection($string){
$string = htmlspecialchars($string);

return $string;
}
?>
[/code]

Keep it simple and short?

Share this post


Link to post
Share on other sites
For making things secure I do the following
[code]
<?php
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
return $str;
}

//This will make string safe, and lower case (for usernames ect)
$username = MakeSafe($_POST["username"], 1);

//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);
[/code]
Note that the 1 (or any value, true, a, lowecase) is what makes it lowercase

Share this post


Link to post
Share on other sites
i don think htmlspecialchars can do all the strings called $strings as what you want i think they all gotto be set sepratly.

good luck.

[code]
<?php
$name="redarrow";
function name($name){
$name = htmlspecialchars($name);
)

function name($name);
?>
[/code]

Share this post


Link to post
Share on other sites
If theres anything I missed there, let me know
but I think My example covers everything,
and I added the strtolower for username and passwords
Make it easier

Share this post


Link to post
Share on other sites
is this the corect way to get the function to work on a diffrent page cheers.

functions.php
[code]
<?php
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
}
?>
[/code]

test.php
[code]
<?php
include("functions.php");

function MakeSafe($str, $make_lower = false);

$username = MakeSafe($_POST["username"], 1);

//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);

?>
[/code]

Share this post


Link to post
Share on other sites
no
[code]
<?php
include("functions.php");

$username = MakeSafe($_POST["username"], 1);
//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);

?>
[/code]

All you have to do.

Share this post


Link to post
Share on other sites
ok that becouse the function is being called witin the varables 4username and $name.

get it.

cheers.

Share this post


Link to post
Share on other sites
That has created a function
a function just like the things inside it
mysql_real_escape_string is a function
strtolower is a function

as long as its on the same page, it works
and using include or require puts it on the same page

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.