Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

Trending TodaySee what people are reading
No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

shift numbers with paging
Hi

How would i be able to display 10 numbers 1 2 3 4 5 6 7 8 9 10
and when I click next

Transport data between itab and textfield on ALV event
Hallo,

I have a ALV Grid ( cl_gui_alv_grid ) and I also have hotspot click event with a h

How to add advertisment on top of videos
Hello,
I was told that i should find the answer for this problem in this forums.
I searched a

phpmailer class & pop.gmail.com?
Code: <?php
$mail->IsSMTP();
$mail->Host = "pop.gmail.com";

string to currency format
Hi guys...

Actually I chunk out some data from txtfile and one of the data contains amount va

mysql_real_escape_string making variable equal nothing
i post a form and i post the variable:
Code: $var = $_POST[variable];then i echo $var its what i

$_POST
Hi, I have 2 seperate php files, and i want my $_POSt["fname"] To go into both of them, Fo

include problem
I have my root folder as:
Code: $root = $_SERVER["SITE_HTMLROOT"]; // the server root<

Text to picture Generator
Hello, i have found this script and it works really good^^ But i have one problem, i would like to c

calendar dates and hours compare problem
i have a calendar in wordpress, everything works great except that i can make 2 meetings at the same

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



 
© indyaspeak.com. All Rights Reserved.
Play Free Quiz and Win Cash