2007-05-09, 04:01 PM
I feel kinda cheeky posting this here as it isn't actually a MyBB mod, but I was just wondering if someone would look over this code and tell me if it is secure against SQL Exploits.
Basically, input from $_POST or $_GET is run through this function before it is put in the database (most of this was taken from the PHP website):
And then when the database is queried for content, the content it returns it run through this function:
The content is the printed to the screen.
Edit:
MyBB doesn't show the stuff in the str_replace arrays correctly, $str should be array("& Acirc;& pound;") (without spaces) and $rep should be array("& pound;"); (once again without the space).
Basically, input from $_POST or $_GET is run through this function before it is put in the database (most of this was taken from the PHP website):
function MakeSafe($string, $dbcon)
{
// Get rid of HTML
$string = htmlentities($string);
// Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON.
if(get_magic_quotes_gpc()) {
if(ini_get('magic_quotes_sybase')) {
$string = str_replace("''", "'", $string);
} else {
$string = stripslashes($string);
}
}
// Make a safe string
$string = mysql_real_escape_string($string, $dbcon);
return $string;
}
And then when the database is queried for content, the content it returns it run through this function:
function MakeReadable($string)
{
$string = stripslashes($string);
// Fix anything that htmlentities broke
$str = array("£");
$rep = array("£");
$string = str_replace($str, $rep, $string);
return $string;
}
The content is the printed to the screen.
Edit:
MyBB doesn't show the stuff in the str_replace arrays correctly, $str should be array("& Acirc;& pound;") (without spaces) and $rep should be array("& pound;"); (once again without the space).