Jump to content
MakeWebGames

Silly MRES question

AlabamaHit

By AlabamaHit
in PHP

 Share

Recommended Posts

AlabamaHit Newbie

AlabamaHit

Posted
Posted

Ok, I'm currently working on a script. (Not McCodes). The thing is I belive it is right, but I want to verify with some people.

When I mres (For example)

Hit's

In the database it only shows up as

Hit's

I think this is right. Cause if I'm not mistaken it is only escaped in the query so it will not show up as 

Hit\'s

In the database (unless magic quotes) Which I'm not using.

Here is a snippet of example code.

This is the function I'm using. (Opinions on that is open also).

Also I didn't make the function I found it on the net. So I ofcourse don't take credit for it.

 

function mres($text)
{
$text = trim($text);
$text = str_replace("<", "<", $text);
$text = str_replace(">", ">", $text);
$text = strip_tags($text);
$text = htmlspecialchars($text, ENT_NOQUOTES);
$text = mysql_real_escape_string($text);
return $text;
}

 

Now the code For sending the info.

 

$get_name = $db->query_first("SELECT users_name FROM users WHERE users_id = ".$user."");
printf('Your current name is '.$get_name['users_name'].'
');
printf('If you wish to change it just enter a new name in the input area below.
');
printf('If you do not wish to change it, just click the link below to go back.
');
printf('<form action="'.$url.'settings" method="post">
');
printf('<input type="text" name="do_name" />

');
printf('<input type="submit" value="Change Name" />');
printf('</form>');

 

This is the code taht is entering into the database

 

$clean_name_input = sprintf("UPDATE users SET users_name = '%s' WHERE users_id = ".$user."",mres($_POST['do_name']));
$db->query($clean_name_input);
printf('Your name has just been changed to '.$_POST['do_name'].'');

 

Now here is the main reason I think it is right. If on the printf statement I put the mres it does show up as Hit\'s. But the database don't.

I'm sure this is correct. Just wanted to verify.

Magictallguy Collaborator

Magictallguy

Posted
Posted

A few criticisms, then I'll answer your question :P

Using the str_replace() to remove the < and >, and then using strip_tags()?

htmlspecialchars() is best used for output if you want to minimise what goes into your database.

printf() isn't required for normal strings (no variables), or strings that you don't intend to format properly ;)

What I'd do:

1st code:

function mres($str) {
return trim(mysql_real_escape_string($str, $connection_identifier));
}

 

2nd code:

printf("Your current name is %s
", stripslashes(htmlspecialchars($get_name['users_name'])));

 

3rd code:

$clean_name_input = sprintf("UPDATE users SET users_name = '%s' WHERE users_id = %u", $user, mres($_POST['do_name']));
$db->query($clean_name_input);
printf('Your name has just been changed to %s', htmlspecialchars($_POST['do_name']));

 

Still secure, done properly, won't eat as much space on your database..

To answer your question; it didn't escape the apostrophie because there was no apostrophie - only it's HTML Entity "

When assigning ENT_NOQUOTES to htmlspecialchars(), it'll do that :P

AlabamaHit Newbie

AlabamaHit

Posted
  • Author
Posted

I was using the str_replace() and strip_tags for seperate reasons. Mostly just in case there is an attack that don't involve a full comment.

When I found the function it already had the htmlspecialchars, so i just didn't remove it lol.

The printf yeah i know it is not required on most I type, but it is habit lol.

Also, thanks for the responce :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...