Mechphisto
11-29-2010, 10:24 PM
Every form field on our site I have running through this function; is this adequate protection from SQL injection and spam-hijacking? Or am I missing something crucial?
function field_sanitize_basic($input) {
if (!is_array($input))
{
$input = array($input);
}
$gobbledegook_alphabet = array('passwd','password','Bcc','mime','Content-Type','¡','¢','¤','|','§','¨','ª','«','¬','®','¯','°','±','²','³','µ','¶','·', '¸','¹','º','»','¼','½','¾','¿','À', 'Á','Â','Ã','Ä','Å','Æ','Ç','È','É','Ê','Ë','Ì','Í','Î','Ï','Ð', 'Ñ','Ò','Ó','Ô','Õ','Ö','×','Ø','Ù','Ú','Û','Ü','Ý','Þ','ß', 'à','á','â','ã','ä','å','æ','ç','è','é','ê','ë','ì','í', 'î','ï','ð','ñ','ó','õ','ö','÷','ø','ú', 'û','ü','ý','þ');
foreach($input as $key => $valueold){
foreach($gobbledegook_alphabet as $value2) {
if (stristr($valueold, $value2) !== false) {
$valueold = $input[$key] = str_ireplace($value2, '*', $valueold);
$_SESSION['field_sanitize_basic_warning'] = '<p class="note_bold">Some potentially unsafe text in your submission was removed!</p>';
}
}
$valueold = htmlspecialchars($valueold);
$valueold = stripslashes($valueold);
$valueclean = $valueold;
$value = $input[$key] = $valueclean;
}
return $input[0];
}
(Oh, the whole doing the input and return as an array, is because I'm working on returning errors and the like -- ignore some oddness about that part. I'm just curious right now about the actual security/substitution stuff.)
Thanks for any feedback!
Liam
function field_sanitize_basic($input) {
if (!is_array($input))
{
$input = array($input);
}
$gobbledegook_alphabet = array('passwd','password','Bcc','mime','Content-Type','¡','¢','¤','|','§','¨','ª','«','¬','®','¯','°','±','²','³','µ','¶','·', '¸','¹','º','»','¼','½','¾','¿','À', 'Á','Â','Ã','Ä','Å','Æ','Ç','È','É','Ê','Ë','Ì','Í','Î','Ï','Ð', 'Ñ','Ò','Ó','Ô','Õ','Ö','×','Ø','Ù','Ú','Û','Ü','Ý','Þ','ß', 'à','á','â','ã','ä','å','æ','ç','è','é','ê','ë','ì','í', 'î','ï','ð','ñ','ó','õ','ö','÷','ø','ú', 'û','ü','ý','þ');
foreach($input as $key => $valueold){
foreach($gobbledegook_alphabet as $value2) {
if (stristr($valueold, $value2) !== false) {
$valueold = $input[$key] = str_ireplace($value2, '*', $valueold);
$_SESSION['field_sanitize_basic_warning'] = '<p class="note_bold">Some potentially unsafe text in your submission was removed!</p>';
}
}
$valueold = htmlspecialchars($valueold);
$valueold = stripslashes($valueold);
$valueclean = $valueold;
$value = $input[$key] = $valueclean;
}
return $input[0];
}
(Oh, the whole doing the input and return as an array, is because I'm working on returning errors and the like -- ignore some oddness about that part. I'm just curious right now about the actual security/substitution stuff.)
Thanks for any feedback!
Liam