Jump to content


Photo

Security Time :) would this work?


  • Please log in to reply
11 replies to this topic

#1 Demonic

Demonic
  • Members
  • PipPipPip
  • Advanced Member
  • 562 posts

Posted 17 September 2006 - 02:11 PM

<?php
function no_injection($string){
if(!htmlspecialchars($string)){
$string = htmlspecialchars($string);
}
return $string;
}
?>

would this work in any way?

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 17 September 2006 - 02:14 PM

This bit makes not sense:
if(!htmlspecialchars($string)){
$string = htmlspecialchars($string);
}
How will PHP know you have ran htmlspecialchars? Also this bit of code
$string = htmlspecialchars($string);
will never be run, as PHP will run htmlspecialchars on the string being passed to the function in this bit of code:
if(!htmlspecialchars($string)){
. So yout function is abit of a waste.



#3 Demonic

Demonic
  • Members
  • PipPipPip
  • Advanced Member
  • 562 posts

Posted 17 September 2006 - 02:16 PM

<?php
function no_injection($string){
$string = htmlspecialchars($string);

return $string;
}
?>

Keep it simple and short?

#4 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 17 September 2006 - 02:19 PM

For making things secure I do the following
<?php
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
return $str;
}

//This will make string safe, and lower case (for usernames ect)
$username = MakeSafe($_POST["username"], 1);

//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);
Note that the 1 (or any value, true, a, lowecase) is what makes it lowercase
Tell me the problem, I will try tell you the solution

#5 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 02:21 PM

i don think htmlspecialchars can do all the strings called $strings as what you want i think they all gotto be set sepratly.

good luck.

<?php
$name="redarrow";
function name($name){
$name = htmlspecialchars($name); 
)

function name($name);
?>

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#6 Demonic

Demonic
  • Members
  • PipPipPip
  • Advanced Member
  • 562 posts

Posted 17 September 2006 - 02:22 PM

Nice Tips people thanks a bunch any more keep em coming.

#7 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 02:24 PM

onlyican  
Nice example try that my self cheers.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#8 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 17 September 2006 - 02:30 PM

If theres anything I missed there, let me know
but I think My example covers everything,
and I added the strtolower for username and passwords
Make it easier

Tell me the problem, I will try tell you the solution

#9 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 02:46 PM

is this the corect way to get the function to work on a diffrent page cheers.

functions.php
<?php
function MakeSafe($str, $make_lower = false){
if($make_lower){
$str = strtolower($str);
}
$str = stripslashes($str);
$str = trim($str);
$str = strip_tags($str);
$str = mysql_real_escape_string($str);
}
?>

test.php
<?php
include("functions.php");

function MakeSafe($str, $make_lower = false);

$username = MakeSafe($_POST["username"], 1);

//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);

?>

Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#10 Demonic

Demonic
  • Members
  • PipPipPip
  • Advanced Member
  • 562 posts

Posted 17 September 2006 - 03:14 PM

no
<?php
include("functions.php");

$username = MakeSafe($_POST["username"], 1);
//This will make string safe, keeping case, (For names ect)
$name = MakeSafe($_POST["name"]);

?>

All you have to do.

#11 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 17 September 2006 - 03:23 PM

ok that becouse the function is being called witin the varables 4username and $name.

get it.

cheers.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#12 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 17 September 2006 - 03:25 PM

That has created a function
a function just like the things inside it
mysql_real_escape_string is a function
strtolower is a function

as long as its on the same page, it works
and using include or require puts it on the same page
Tell me the problem, I will try tell you the solution




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users