MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > pS() Help
Full Version: pS() Help
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Exze

2012-01-04, 12:13 PM
Yo,

So a while ago I asked about security and now I worked up this function.

function pS($string){
	$string = mysql_real_escape_string($string);
	$string = stripslashes($string);
	$string = htmlspecialchars($string);
	return $string;
	
}


It will be used with $_GET $_POST.

So like
pS($_GET['this'])

Would this work ok? Or is there anything I need to add

Booher

2012-01-04, 12:44 PM
You'll need to return it as something. like
$this = pS($_GET['this']);

you could return ti as $_GET['this'] too if you wanted to.

Exze

2012-01-04, 12:51 PM
Yeh but will that protect from everything?
It didn't work for some reason though when I just use

function pS($string){
	$string = mysql_real_escape_string($string);
	return $string;	
}

It protects it from injection just not <script>

pyridine

2012-01-04, 08:05 PM
mysql_real_escape_string protects from injection.
htmlspecialchars/htmlentities protects from XSS.

Don't use the function in the OP because, well
1. Stripslashes will basically reverse mysql_real_escape_string.
2. If you aren't inserting data in the database there's no reason to escape it.
3. If you are inserting data into the database you have less control over your variables. (eg. If you know the variable has to be an integer you can should just use intval() or cast it as an integer.)
4. If you'll never be displaying the data you shouldn't run it through htmlspecialchars/htmlentities.

Just my 2 cents.

Exze

2012-01-04, 09:24 PM
Ok thanks. I protect all my $_GET and $_POST vars with it

function pS($string){
	$string = mysql_real_escape_string($string);
	$string = strip_tags($string);
	return $string;	
}

That wipes out all the HTML and I believe it stops injection.

For example my login part is 

$user = pS($_POST['user']);
$pass = pS($_POST['pass']);

and my logout is

if(pS($_GET['logout']) == "yes"){
	session_destroy();
	$message = error("You have been logged out");
}

Is that definatly all I need, I don't really know how to test against XSS and injection though I know the login stops x=x with the password field.

pyridine

2012-01-04, 09:48 PM
Please reread my post.

Exze

2012-01-04, 09:49 PM
so what's the difference between your html things and strip tags :s

pyridine

2012-01-04, 09:58 PM
http://php.net/manual/en/function.strip-tags.php
http://php.net/manual/en/function.htmlspecialchars.php

Both will protect against XSS but you usually want to preserve the end user's data.
And I'm basically saying you shouldn't use any one function for sanitation.

Exze

2012-01-04, 10:09 PM
Once i remove all tags I am using str_replace for certain bbcode

pyridine

2012-01-04, 10:25 PM
Yeah, good idea. Then no one can discuss html due to your post handler completely removing any and all tags.
Pages: 1 2
MyBB Community Forums > Community > General Discussion > Web Development and Administration > pS() Help