Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Hom to make one url to open together with another url
I have a chat, which i want to be opened, as soon as the users login to the site. As it is now, when

writing my own sobel filter convolution - something is wrong
I am trying to keep it very simple, I cant see anything wrong with my logic, could anybody help poin

PHP/Database issue
My friend is helping me make a database where you go to a certain webpage of my site and the page wi

GET * FROM _____ Except?
I have a site that is for stock photography.

This section of the code calls images to display

Impact of movement type 412 E on MAP
Hi

Usage of movement type 412 E is causing huge change in MAP .

Is there any r

Custom CMS
This is a big custom CMS script I'd like to develop and would like some help atleast figuring out wh

Mail Form receiving emails with no content
Hi, I hope someone here can help me.
I have a simple form in my website, it was working OK, after

Mail functionality from localhost to server
Hi

I am facing problem of mail functionality.

When i tested mail functionality in my

BI in Upstream Production operations
Appreciate if you can assist in the following areas:
1) Examples of life before and after BI i

Getting Subdomain Name With PHP?
I want to grab the subdomain name with PHP so I can generate database queries.

for example my

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash