Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Modal Popup Help
Hi guys, I have a modal popup with an iframe. How can i send data from a label or textbox to the ifr

Limiting uploaded file type
Hi. First post here
I am working on a simple upload script, and I need it to limit the allowed f

gmmktime or mktime
I live in the UK, i am within the GMT (with daylight saving time ie 1 hour difrence between summer a

"GROUP BY" in arrays
Well i'm looking to do something i usually could do easily using COUNT and GROUP BY if it was a sql

New to PHP and just trying to understand a little code.
I hope I'm not annoying anyone or breaking the rules but I was wondering about this bit of code righ

There was a problem with the request. (Code: 0)
Any Idea what could cause this? I get it randomly at best. But with both IE and FF. It derives from

modifying query string with no page refresh
Hi everybody,
I've tried to get info about my problem all over the internet but i didn't find out

Multiple arrays inside data
Hi,

Simple question. I have a column called "array" in my database, and inserted in

Extracting URL pointer within XML tag
Hi.

I'm trying to extract text between two quotation marks in XML. For example, I want to ex

Add trigger to UpdatePanel programmatically
Hi,I'm working on a website which uses AJAX and Masterpages. What I have is an AJAX UpdatePanel whi

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash