Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Please help with code for SMTP authenticated PHP email form
Hello, I'm creating a PHP email form, and for this particular server, I have to use SMTP Authenticat

Displaying values from a SQL count...
Hi,
Easy enough question i just forget the exact method ..
I have ...

Code: //count win

Dynamic links in an include file
I am working on a small piece of code that counts records from a database and displays the result to

Internal Server Error issues
This has been bothering me for weeks and I've been trying to solve it without asking for help, but e

Struct/union and scope problem!
HI all , I have
Code: in header.h typedef struct Node Link; /* ---------

Show message after entering data
Hello Colleagues

I would like to display messages after entering the data example: "
dat

form submit at godaddy?
Trying to test form submission at GoDaddy and it does not seem to work. Here's the page...

h

preg_match logical error
Code: <?php
$s = file_get_contents("page.html");
preg_match('/<div cla

Help to integrate whois Domain Details to website
Hi,

can i know is their any php script r methods to add domain details to my website.

code help - pagination
Hi all, I have this code, basically a user logs into my site and they get this page.

The pro

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash