Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

How to extract/download content from HTTPS page?
Hello to all the Members of this forum, Im Shoiab, A novice programmer in php.. for my first job I h

Executing an exe
Hi. I have some bizarre problem with exec (other any other method) to launch exe's. I am making a ga

how do i make new line after *
First check this page here. and you see my report. Im pulling form a mysql db. I want to beable to m

Tournament Brackets (Double Elimination)?
Is making a double elimination tournament style bracket system capable of being done in php?

my code does not work.
I have a code problem.

Quote"<a href=index.php?gogo=ureticidetay&'?l={$le

PHP template help
Ok, I don't know if anyone can help me but I am using PHP templates to make a site. I am a newbie an

Mail form doesn't send Russian/Cyrillic characters correctly?
When someone enters foreign characters (like Cyrillic text, and Japanese/Chinese probably gives the

button.click += new eventhandler() not works in if(!ispostback)
i want to use button.clcik event in function VIewScrap() which is called in if(!ispostback) but itdo

MASS PM
Hello all, I'm trying to send mass private messages to users in my database but keep getting an erro

How to separate records and ORDER BY
Let say i have 100 records and displayed in one page, then i want to get the records from 50-100 and

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash