I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
Form errors in an array
I'm processing a form and putting the errors in an array. empty($errors) doesn't seem to do the trick when trying to check to see if the array is empty. Is my understanding of empty()incorrect? Each
How to update this array?
I am saving a string that looks this: username1, username2, username3...into a single cell in a database table. I am doing this so that when I retrieve that string using normal methods, I can turn it
PHP page loading in Firefox but not in IE
hello,i am currently doing a project in PHP and i have a problem. If I view the project in Mozilla Firefox it works fine but if i open using IE i am having problem with the design which is not getting
uploading video files into mysql in php
hi,I have the video files which i have to upload into mysql db. along with creating thumbnails from the video.can any one help me in this which will be greatful to methank u
Get relative path from absolute path
How would one go about getting the relative path to a file from its absolute path?
Strange
I recently noticed some odd HTML appear in some of the websites I host. Not all of them are run on a CMS but the majority (but not all) are running through the same FTP account.I've searched
Help with simple query
Hi, I'm trying to do a Query with a Union where I want to print the number of rows $tc contains. Can anyone see what's wrong with this:Code: $tc = @mysql_num_rows(mysql_query("(SELECT * FROM
PHP Cannot redeclare class
I have 6 files, and two of them do not seem to want to play well. I keep getting a "Cannot redeclare class" error.** edit **I know its these 2 files, because when i comment out the
Quick Question about echo value
Hey guys, I'm trying to get something to show differently in one of my scripts. I'm trying to make it so that people that are a certain rank in my game will have their names show up bold in the users
Is it a good practice to store user info. in sessions?
I am making a user class for my script which stores all the user information in sessions. It takes user id as parameter and gets the info from database and stores it in the session variable. I did
