Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

How would I do "Users not logged in since *** delete them"
I know how I would set this up, and delete the user roughly.
I'll create a table called "Use

Sending CC Info by email
I am a little bit less knowledgable in the security area as most developers and I know I have a lot

Dump with added_funcion cl_salv_table
Hi there, I'm having some troubles adding a self defined function to an ALV in fullscreen. The thing

Problem with a select distinct
I have a problema with a select distinct, I have the next sql:

select distinct a,b,c,d fr

I have a parse error in this query help..
Code: $query1="INSERT INTO `rating` (`item_name`, `rating`, `ip_address`, `date_rated`) VALUES

Newb advice
Hi all,

I'm a flash front end designer and I've taken on a project that needs some back end p

Code Review - SQL and Insertion Attacks (Warning: Not for Newbs)
Hey guys,

Its been a while, I know. Use to love coming here to answer peoples questions, but

help with this code please?
Hello,

I am trying to build a remote upload script for my image hosting site.

I am usi

Php - mysql select?
hi, i have this code:

Code: <?php
session_start();
// dBase file
include &quo

ECC6 - Single sign-on
We are in the process of upgrading to ECC 6 which will support single sign on with user passwords al

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash