Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

PHP Mysql Staff Induction System
Hi there, I'm pretty new to PHP and Mysql so could really do with being pointed in the right directi

Casting Decimals in Oracle
This code worked as a query in DB2, but I am not sure what the syntax is for casting decimals in Ora

Effort Estimation Template for Steady State Support
Hi Everyone,

Is there any SAP provided template/format for system change and enhancements

Form File Upload
I've read through tons of resources and tutorials and as far as I can tell, my code is accurate, but

Parse multirow HTML table
Hello all,
I have a site I am working on. Its a sports site and I am trying to add stats to a DB

PHP Upload issue
Hi guys,

I have stumble across an interesting issue with my script and is doing my head in.

Check Date/Time in PHP
What I need the code to check is that $reQuest is 24 hours in the past then return a time based on h

Not sure why this script is not working?
Hi I am new to php programing and I was trying to make up a simple script like a captcha but I canno

how do i make a string??
hey guys,
can someone please tell me how to put data from the glob function into a string

Auto fill in input value based on User_ID
Hello,

I'm looking form some input on the following problem.

User loads page ->

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash