Sanitize inputs

[dorelo]

In the same way we call:

function clean($string) {
   $string = str_replace(' ', '', $string); // removes all spaces
   return preg_replace('/[^A-Za-z0-9\-]/', '', $string);
}

on $credentials to prevent sqli, we should do the same for the other user-controlled inputs, as done in this branch (for api.php).

If it is all taken care of later in the code by the following prepared statement:

$stmt = $mysqli->prepare("INSERT INTO notifications (credentials, title, message, image, link, ip) VALUES (
AES_ENCRYPT(?,'$key'),
AES_ENCRYPT(?,'$key'),
AES_ENCRYPT(?,'$key'),
AES_ENCRYPT(?,'$key'),
AES_ENCRYPT(?,'$key'),
AES_ENCRYPT(?,'$key')
)");

Then this pull request should be rejected, and calling clean() on any input might be useless.

I am not clear on whether it is. Needs discussion.

[dorelo]

Updated with new commit.

Re-read the function and obviously

function clean($string) {
   $string = str_replace(' ', '', $string); // removes all spaces
   return preg_replace('/[^A-Za-z0-9\-]/', '', $string);
}

Will strip any special chars from URLs... meaning they're not URLs any more. Which breaks the imageURL, link and possibly message fields.

So I think the solution is just prepared statements, and not using the clean function at all. It seems too hacky.