Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Get dump of MySQL DB from Live Site
I'm after an easy, but secure way of generating and importing a MySQL dump from a remote server.
Limiting uploaded file type
I am working on a simple upload script, and I need it to limit the allowed file type that is uploade
Call db table from any PHP file
Hi,
I want to be able to call a database table that will be setup in another file called init
mysql_query returning boolean instead of mysql ressource
Hi,
I seem to have a weird issue with the php command mysql_query. I pass 2 arguments the que
Date Question
I'm using the TIMESTAMP() function within mysql to set the date/time for certain events. However, ho
How would I protect......
I have a from, actually, a good amount of forms. How can I make it so you can't type the characters:
Display the user's weight lost in the past week
Hello everyone,
I am working on a weight loss app for my site, and I want to display the user
Using the $_GET variable to view certain records
Hello,
First let me explain my problem, I have 2 pages the first page pull a list of Guide ti
CE 7.1 and External GIS integration
Hi All,
We want to develop an application on CE 7.1 which uses GIS features from an exter
Oracle11g Patch issue
Hi all,
I'm getting the following error while installing Oracle11g Patch 11.1.0.7.0 on IBM-AI
