Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

returning data from an ssh2_exec()
here's what i got.


$conn = ssh2_connect($this->_host);
ssh2_auth_password($c

Creating web pages by php
Hello again,
I was just wondering us there a way to use a php script to create a new web page. I

background color imagefill
Hello

I would like to ask you why I see this square in red color just in my local xampp insta

$action = "insert"; //$action = $_GET['action'];
$action = "insert";
//$action = $_GET['action'];

why is this invalid type? I am

PHP Thumbnail Creation
Ok so i use this function to create thumbnails:

Code: [Select]function createthumb($name,$fil

problem in pagination when processing with selectbox form
Hi,

I have a search form, with select boxes, if am selecting the value from the form, it work

Comparing two dates
Hi Guys
I have two dates I want to compare. Below is my current implementation. The problem with

Undefined variables
hi
----------------------------------------------------------------------------------------------

Chat Box in PHP
I was thinking in doing a Chat Box in PHP. For that I would use a form with two fields, Nick and Mes

Matchcode in ALV change header column
Hello everyone,

I am working in an SAP system that is currently in upgrade and conversion

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash