Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Line break?
Hi, I'm new to the forum and new to php. I'm not sure if I'm using the correct terminology so here i

PHP and Javascript
Hi Guys,

Im trying to load the contents of an html file into a text area for editing, this is

Seperate team from score
I am writing a site that does a NFL Pick 'em type application and I have a feed that gives me the sc

include function being weird?
I have a very simple system to grab an IP outputted by a PHP file.. (for a project I have) but it ou

gmdate() - want 1 hr before time
Hi,
I am using php gmdate().
Now I am entering all dates in my dbase using gmdate("Y-m-d

FAGL_FC_TRANSLATION FAS52 New GL ECC 6.0
Hello,

The new program for Translating GL Balances (FAS 52) gives the option to use diffe

Memory Allocation
Hi folks,
see this ex:

int v=5;
v=v+10;

then what will do the compiler before th

Hit counter updating once per IP - IP HIT COUNTER
I have a hit counter, for the amount of views on a tutorial.
It'll do the query and then do..

Oracle Text CTX_DOC.snippet slow
I have a table (FILE_TABLE) that contains a blob column (ft_file) and I have created the following O

PHP MySQL and DATE
Hi everyone

I have a databse and in one of the columns I have date values such as 2009-March-

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash