Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Comparing Values
Hi
I'm reading data from a database and this seems to work OK.
Each system has an associat
having probem inserting data into db table
hi
i have a table with following columns in it
Code: candidate_id, degree, cgpa, institute
Image loading
Hi Developers,
I'm trying to display an image from images/image.gif getting the url from mysq
Creating a db with a query
Hello everyone.
I'm having troubles creating a db with a query.
I'm reading a book called PHP
records between 2 dates
Hello all,
I have a date tracked table which contains effective_start_date and effective
Help Import Animoto and Youtube
CAn someone help me urgently want to allow users on my website to import youtube/revver/dailymotion
Auto-populating dropdowns and multiple forms.
Here's what I have so far:
First drop down = select a state (works)
This populates the sec
Sending UDP Raw socket
I truly need help on this. I am trying to write a test program that simulate a network environment
Load file in PHP
I have 2 files. The first is a PHP generated XML file that's dependent by 2 inputs. The second is a
MySQL Does not UPDATE- SQLString Problem
vb Syntax (Toggle Plain Text)
1.
SQL = "UPDATE sampletable SET column1 = 'C1sample1'"
