Code Snippets Gallery
Sanitize Database Inputs
1) Function for stripping out malicious bits
<?php
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
'@<[\/\!]*?[^<>]*?>@si', // Strip out HTML tags
'@<style[^>]*?>.*?</style>@siU', // Strip style tags properly
'@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments
);
$output = preg_replace($search, '', $input);
return $output;
}
?>2) Sanitization function
Uses the function above, as well as adds slashes as to not screw up database functions.
<?php
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
?>Usage
<?php
$bad_string = "Hi! <script src='http://www.evilsite.com/bad_script.js'></script> It's a good day!";
$good_string = sanitize($bad_string);
// $good_string returns "Hi! It\'s a good day!"
// Also use for getting POST/GET variables
$_POST = sanitize($_POST);
$_GET = sanitize($_GET);
?>
I use my own functions as follow:
Where “fsk_” prefix is used for WYSIWYG editor variables. Works perfectly.
@iMaxEst: I think you may have missed the point here. Preparing data is just a side issue. Sanitizing data prevents code injection attacks.
stripslashes() != sanitize()
Really nice functions Chris! Neat way using regular Expressions these snippets will definetly find there way to my library script.
Thanks a bunch!
Why to clean the input from html/script tags?
You only have to worry about XSS when you prepare the output!
Protect your database through prepared statements and htmlspecialchars() will care about the output.
It seems like a good idea to clean input. Why do I want to store potentially malignant code in my database?
What about ASP ? anyone..
These code snippets don’t come through very nicely via RSS. All the line breaks seem to disappear.
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<", so why not make that explicit? Currently that's all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn't work, all I have to do is add a space: "scripthere”, the browser will figure out what I meant, and the script will execute.
I apologize, whoever wrote this filter did it both right and wrong (wrong because they simply remove it, instead of escaping it, right because it catches it), I’ve cleaned it up with characters escaped by hand, this should work:
These are nigh useless and overly complicated; e.g. the html one simply matches anything with “<”, so why not make that explicit? Currently that’s all that expression does, all this extra stuff merely serves to obfuscate the issue. E.g. the javascript one doesn’t work, all I have to do is add a space: “< script>scripthere</script>”, the browser will figure out what I meant, and the script will execute.
Mines is pretty small and handy for getting rid of nasty hacking injections