Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Cron Job and Output
I have php codes running under a cron job.
But everytime i output (echo) , it comes out as comple

Stuck with preg_replace
Hi,

I'm trying to use preg_replace to remove part of the IP address submitted using a form on

Count
Getting the same count everytime

Code:
$visitquery = mysql_query("SELECT COUNT(*) FR

Simultaneous select/update/insert
Hi

How would I need to go about when 2 users update a single row simultaneous? And how would

Writing to the middle of a file
Hi I have a bit of a problem. Is there any way i can write some text to a middle of a text file. For

some query on multilingual website
Hi all,

Which is the simplest and easiest method to make a website multilingual,
is it put

need help with date function
i have following form for date

Code: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01

please fix the error
What is the error in the below code ???
Line number On/Off | Expand/Contract <?php

[Need Help] php timing issues
I don't know what is going wrong. I need some help with being able to set an image at 9:00am Colorad

MYSQL INSERT ID NOT WORKING
Code: $id = mysql_insert_id();
header("Location: ./?view=$id");
Why $id pulling blan

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash