Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Using two $_POST Function / Switch () statements, second does not work.
Hi all. I’m new to php and am having a problem getting $_POST Function / switch () to work. I
Creating XML with php
I need to creat an XML with php and have successfully produced a valid output.
The problem I hav
php sessions,logouts & the bloomin back button!
Hi All,
I've got a cms that members can log into. When they logout, the session is destroyed,
If a form submits back to same page do you need to use $get
IM trying to pass page number and year that was selected back to the same page.
i have this c
Must be a string? Huh, what? HELP?
with the following script, I get
Fatal error: Property name must be a string in /home/content/e/
PHP XML extraction text
I would like to extract an xml text and have that text directly echo(print) out on my web page. Her
Trying to add functions to table
I have this list of characters and I'm trying to figure out what I have to do to put the results of
Setting condidtions for an input box
Hi all,
I would like to set a condition in a txt box that says the number a user enters has t
Opening Multiple Files/Links in Order.
I want to open links in order/one-by-one and check each for a specific string.
Example:
I
Redirect not working after making a POST/GET
Hi Everyone,
I am a novice in PHP. Here I have 2 pages, one page with a textbox and button an
