Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Displaying different page content, depending on the logged in user.
Hi all, I am new to ASP.net (and web development in general), and have a question about how I can di

Create comparison matrix?
I want to create a comparison script for forum software and was wondering is there any tutorial or b

how make 2 column in table with data tybe long row
hi every one

I want make in my table 2 column with data tybe long raw

how thi

PHP and MySQL on intranet?
Is it possible to use both these on an intranet network?

pop3 and fsockopen
So I am able to connect to the pop3 server, log in, and check how many messages there are. I am hav

How to create a static html menu from a database
Hi,

I have built a small cms which allows me to create simple html pages and then upload them

Echo Tweaking help!
HI. I would like to have the output of the entered variables repeat forever, but it's stopping at th

Alternate messaging
I have 4 strings in MySQL db1

$string1 : Hello
$string2 : Hi
$string3 : Great
$strin

Do While statement
hi guys,

This may sound trivial but im new to php and as part of an assignmenti have to const

Putting double spaces instead of single spaces
Im looking at trying to replace all single spacing between fields with double spacing

At pres

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash