Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Can php detect connection speed and thereafter swap out elements?
No code to post, lads, yet. Just looking for a yay or nay at this stage:

Can a php script be

Undefined index on my form
ok im getting Undefined index on this line.. print_r($_REQUEST['form']);

below is the full sc

Echo-ing MySQL content and Keep Formatting?
I have data in my MySQL such as:

QuoteBlah blah

Blah blah

etc
but when i ech

Multi-image upload problems
Lets see if I can get some help on this one. Can anyone show me what I am doing wrong here. I'm just

Images in email problem
I found this script for sending emails, it works but if the email has <img src="image.jp

File upload issues
Hi Guys,

Can anyone see any issues with this code:
Code: $setImage= 'productimages/' . dat

Limiting uploaded file type
I am working on a simple upload script, and I need it to limit the allowed file type that is uploade

Email to a friend script problems
I have this send-to-a-friend script with 2 issues:


1) When you open the form popup on a p

Strip Slashes Help
I've got a script that i've downloaded of the net to edit multiple fields from my sql database, and

How to get exact 3 moths post date from today date using javascript
How to get exact 3 moths post date from today date using javascript
Please help

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash