Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

License Issue - service type user
Hi,

I would like to understand the following issue regarding sap license.
I wish to

Reditecting pages based on logic
Newbie here, apologies in advance!

I am trying to use the header function to forward one of a

How to add an image/C++ OpenGL?
Hi,

I have been trying to look online for this and, so far, I haven't found anything usef

help with this code please?
Hello,

I am trying to build a remote upload script for my image hosting site.

I am usi

insert Multiple rows into the table from that table data
Hi All,

I have a requirement like to insert mulitple rows into the table from that

IIS & NW MII on the same server
Hi,

We're weighing the possibility to run both IIS and MII (NetWeaver) on the same server

help me fix these syntax errors...
I keep getting multiple syntax errors on this script like this one:

Parse error: syntax error

article site help remaining text
Hi all hope you will be fine
I am creating a article site in this site i want to put some text on

remove innitial

and

tags
i am using tiny_mce as a text editor for my CMS.
buy now the problem is it add <p>

Unifying logins of two different scripts
I have two different game scripts which I want to embed on my own site. The problem is I don't want

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash