Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Looking for help reading a .txt or .ini file and outputting the info.
I have a file called Info.ini and It has the following info:
Code: [General]
Online=0
I wou

How to display random record from table?
I have the following code:

Code: <?php
$display_block .= "<input type=

Help with writing "$" with fopen
I just can't get my syntax correct. Could someone help me please? I am trying to write a connect fil

Javascript or not?
How many people prefer javascript/ajax sites? How many prefer the good old fashion straight php sit

Displaying returned XML in another PHP page
I have an online payment form that will return XML given if a payment is successful or declines. I

Is there something wrong?
Hi all,

Just a quick question... can someone look at this code and see if something is wrong?

creating a 1 to 100 in a table
hi guys I am a newb in php need some help.

I have a table with 1 column and 100 rows and in

Add 5 to a variable when a button is clicked, and re-run a for loop
So I'm making a feedback sort of section on a website with MySQL and PHP, I've gotten the script to

cyrillic string conversion question
Hello,

First time here...

I would like to know if there is a way to convert a

How do I know when getBounds Method is ready to be called.
I have an application that changes out stylesheets client side. Once I change stylesheet the browse

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash