diff --git a/admin/admin_smilies.php b/admin/admin_smilies.php
index a5dcb984c..6011617b3 100644
--- a/admin/admin_smilies.php
+++ b/admin/admin_smilies.php
@@ -229,7 +229,7 @@ if (isset($_GET['import_pack']) || isset($_POST['import_pack'])) {
         case 'save':
             $smile_code = isset($_POST['smile_code']) ? trim($_POST['smile_code']) : trim($_GET['smile_code']);
             $smile_url = isset($_POST['smile_url']) ? trim($_POST['smile_url']) : trim($_GET['smile_url']);
-            $smile_url = ltrim(basename($smile_url), "'");
+            $smile_url = bb_ltrim(basename($smile_url), "'");
             $smile_emotion = isset($_POST['smile_emotion']) ? trim($_POST['smile_emotion']) : trim($_GET['smile_emotion']);
             $smile_id = isset($_POST['smile_id']) ? (int)$_POST['smile_id'] : (int)$_GET['smile_id'];
 
@@ -256,7 +256,7 @@ if (isset($_GET['import_pack']) || isset($_POST['import_pack'])) {
         case 'savenew':
             $smile_code = $_POST['smile_code'] ?? $_GET['smile_code'];
             $smile_url = $_POST['smile_url'] ?? $_GET['smile_url'];
-            $smile_url = ltrim(basename($smile_url), "'");
+            $smile_url = bb_ltrim(basename($smile_url), "'");
             $smile_emotion = $_POST['smile_emotion'] ?? $_GET['smile_emotion'];
             $smile_code = trim($smile_code);
             $smile_url = trim($smile_url);
diff --git a/common.php b/common.php
index 811d175de..a702f99e6 100644
--- a/common.php
+++ b/common.php
@@ -349,19 +349,13 @@ function str_compact($str)
     return preg_replace('#\s+#u', ' ', trim($str));
 }
 
-/**
- * Generate a "random" alphanumeric string.
- *
- * Should not be considered sufficient for cryptography, etc.
- *
- * @param int|string $length
- * @return string
- */
-function make_rand_str($length = 10): string
+function make_rand_str($len = 10)
 {
-    $pool = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
-
-    return substr(str_shuffle(str_repeat($pool, (int)$length)), 0, $length);
+    $str = '';
+    while (strlen($str) < $len) {
+        $str .= str_shuffle(preg_replace('#[^0-9a-zA-Z]#', '', password_hash(uniqid(mt_rand(), true), PASSWORD_BCRYPT)));
+    }
+    return substr($str, 0, $len);
 }
 
 function array_deep(&$var, $fn, $one_dimensional = false, $array_only = false)
diff --git a/library/includes/functions.php b/library/includes/functions.php
index c74d889c0..7da441d5b 100644
--- a/library/includes/functions.php
+++ b/library/includes/functions.php
@@ -926,12 +926,34 @@ function get_db_stat($mode)
 function clean_username($username)
 {
     $username = mb_substr(htmlspecialchars(str_replace("\'", "'", trim($username))), 0, 25, 'UTF-8');
-    $username = rtrim($username, "\\");
+    $username = bb_rtrim($username, "\\");
     $username = str_replace("'", "\'", $username);
 
     return $username;
 }
 
+function bb_ltrim($str, $charlist = false)
+{
+    if ($charlist === false) {
+        return ltrim($str);
+    }
+
+    $str = ltrim($str, $charlist);
+
+    return $str;
+}
+
+function bb_rtrim($str, $charlist = false)
+{
+    if ($charlist === false) {
+        return rtrim($str);
+    }
+
+    $str = rtrim($str, $charlist);
+
+    return $str;
+}
+
 // Get Userdata, $u can be username or user_id. If $force_name is true, the username will be forced.
 function get_userdata($u, $force_name = false, $allow_guest = false)
 {