Security holes.

[Nox]

But your function only works for mysql querys. Strip tags has its uses, htmlspecialchars definitely has its uses.
You need to escape specificaly for the situation
Your function for example won't protect you against XSS...if you don't use one of previously mentioned functions
than your sites are vulnerable to it (I hope I scared you now ,
not always bad to be worried )

... but I think this all was mentioned here before

Btw... why the capital letter in variable names? So much extra shift pressing...

[Crazy-T]

Btw... why the capital letter in variable names? So much extra shift pressing...

Karlos always does it always has guess its a habit. Or maybe he just likes Capital on every first word

[Scion]

camelCase http://en.wikipedia.org/wiki/CamelCase is quite a popular Idiom in many developer communities.

it helps readability of longer compound parameter names eg compare maxRowsPerRfc to maxrowsperrfc

[Nox]

I meant first capital letter ... I use $maxRows but I see no reason to use $Max instead of $max

[Karlos]

But your function only works for mysql querys. Strip tags has its uses, htmlspecialchars definitely has its uses.
You need to escape specificaly for the situation
Your function for example won't protect you against XSS...if you don't use one of previously mentioned functions
than your sites are vulnerable to it (I hope I scared you now ,
not always bad to be worried )

... but I think this all was mentioned here before

Btw... why the capital letter in variable names? So much extra shift pressing...

I believe your looking past the point a little bit.
htmlspecialchars(); should be used for displaying! Think about charsets and collations and even the field length, there are just so many problems with this!

Consider the string:
"It's a simple string" = 22 characters

Now passing that through mysql_real_escape_string(); and htmlspecicalchars();, this becomes:
"It\'s a simple string" = 33 characters

Starting to see, that not even messing with charsets, collations and considering the field lenght...


Please tell me any points I may of missed..

[Nox]

I didn't say it should be used for insering into database, it should be used when displaying, this topic is about overall security so I followed that
But strip_tags can be used when inserting if you don't want users to use html tags (at all or you're using bbcode), so you don't store this extra data

[Karlos]

I am purely basing what I am writing from the information for that function used by Darklandz, secureInput() suggests one thing for me, insertion in to the database, more so when i see mysql_real_escape_string();

string_tags() does have a good use, I will not deny that, but I have no good reason to use it for now.

[Karlos]

Btw... why the capital letter in variable names? So much extra shift pressing...

Karlos always does it always has guess its a habit. Or maybe he just likes Capital on every first word

Crazy-T/Alan/BadGirl or whatever ou wish to call yourself... You should know I've done it for ages, and I will continue displaying my code how I like. 

[Chris]

Btw... why the capital letter in variable names? So much extra shift pressing...

Karlos always does it always has guess its a habit. Or maybe he just likes Capital on every first word

Crazy-T/Alan/BadGirl or whatever ou wish to call yourself... You should know I've done it for ages, and I will continue displaying my code how I like. 

LOL, reputation +1, at least one person who don't believe in the "proper coding style" crap

[Karlos]

LOL, reputation +1, at least one person who don't believe in the "proper coding style" crap

I like to have my own style, I don't like to follow others, mine suits me and I like it

[Nox]

don't believe in the "proper coding style" crap

That's what we get for trying to make Karlos' life easier

[Karlos]

don't believe in the "proper coding style" crap

That's what we get for trying to make Karlos' life easier

How does that make my life easier? The only thing what would make my life eaiser is enough sleep

[Harkins]

LOL, reputation +1, at least one person who don't believe in the "proper coding style" crap

I like to have my own style, I don't like to follow others, mine suits me and I like it

And that'll be fine as long as you don't work with anyone else or expect to get too much help from people who may not have the patience to figure out another random style.

[Qwerty]

Well I just put trim() on everything so if it gets inserted into the database or file, there isn't all of the space wasted.

Also on my register code so users don't make accounts with usernames with spaces in the front.

[Crazy-T]

Why not upper there username first something like.

Code: [Select]

$username = mysql_real_escape_string(trim($_POST['name']));
$sql = $db->execute('SELECT `username` FROM `players` WHERE UPPER(`username`) = UPPER(\''. $username .'\')');
if($db->row_count($sql))
{
echo "This username is already exists. Please pick a new username.";
$error = true;
}
else
{
echo "Your account has been made.<br />";
echo "Your details are<br />";
echo "Username: ". stripslashes($_POST['name']) ."<br />";
echo "Password: ". $_POST['password'] ."<br />";
echo "<a href='login.php'>Click here to login your account</a>";
$error = false;
}Something like that?.