Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

how to load a Sys file with system load and call images?
normally you need register the module as a service with CreateService, and start the service

Pipe email to PHP - get mail adress from MySQL - send?
Hi all,

this is the challenge:

1) Our faculty at the college where I'm employed includ

Sales orders ans reservations not taken into account on MPS / MRP
Hello,

I am implementing the MPS / MRP and I have the following problem:

I ha

split string
Hi all

i have some names (imploded by comma):
Code: toronto,paris,madrid
Now, i would

Filtering an Array Based on Value
I have a very simple script set up that pulls data from a database and is output using this code:

New to mysqli library - Multiple query problem
Greetings,

I am writing a batch program that executes 3 queries on a single page. Using mysql

Material xxx does not exist in plant xxx
Dear All,

I am working for a steel project which is repetitive manufacturing.

Keeping data in form
How can I keep whatever I write in the form?

SQl num_rows problem
when i try to count rows from an SQL select i get an warning

Code: [Select]$countviews = mysq

Anti Spam Code Problems
Ok where do i start? Probably by telling you I have very little working knowledge of PHP and that I

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash