Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Why is my row count 0?
Here's the MySQL query i'm running. It basically pulls data from 2 tables based on some data passed.

Help With editting and deleting form
Hallo !!

So look at this image :

http://img194.imageshack.us/img194/8272/snapshot5f.pn

Dynamic Data + Sql Server 2005 Enterprise?
Hi! I have just started to learn ASP.NET, and it looks like it is quite a lot to learn. Im not reall

How can I Compare two xml documents?
Hi all,

I am doing a POC for my project and I am using XE database 10g version.

mysql_real_escape_string making variable equal nothing
i post a form and i post the variable:
Code: $var = $_POST[variable];then i echo $var its what i

Using system() and bringing back the results
I am aware that you can use system() within PHP to execute system commands, but I was wondering if t

To add a field on the screen XK02.
Hi All,

How to add an additional field in the vendor change control screen XK02.
The

show the direct link into href
I want to display link on the page. i am fetching the data(URL) from database,actually before that i

php is not recognized as an internal or external command
Hello,

I am trying to bake the code in CakePHP through my console.
I have changed my Path

DBCA Templates
Hi all,

I'm working on creating a template for DBCA, but can't find any documentation on the

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash