Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
pass form variables straight to email, no database required?
hello all,
im working on this form...
http://www.adobedayevents.com/project_request/pr
Typing math
I've added support for typesetting math using LaTeX on the forums.
Example:
Code: [Select]
php forms and database navigatio
Hello,
I'm new to php and i'd like to post the following.
I have written code to get records f
File upload issues
Hi Guys,
Can anyone see any issues with this code:
Code: [Select]$setImage= 'productimages
problem with array - multilingual page
this is my test page :
Code: <?php
if(isset($_GET['lang'])) {
if($_GET['la
A href problem under php
Hello...
I tried to explain the issue in an earlier post.. but was not clear enough....
DOMDocument parsing
Hello, I am parsing an xml file from an API which I have converted into a DOMDocument in php. This i
Can't seem to capture a variable in a chained select
I'm *this* close to having a chained select running but for some reason it doesn't seem to be pickin
Convert .fdf to .pdf
I currently have a web form that uploads the form data to an .fdf file and emails it.
However
Displaying data from MySql a different way
Hi all,
I'm pretty new to php and MySql and have hit a problem.
I am able to display data
