Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Facebook status update API
Hello,
So, I'm trying to create my first Facebook application with PHP.
Basic ideas fo
php require help needed
Ok i tried to use the search funtion but the word require is everywhere.
i'm really new to cr
using file_get_contents??
okay how would i create a script using file_get_contents() in php have it grab search pages 1-20 and
Using mysql_real_escape_string for displayed content
On my website users can input data into a textarea and it will store it in the mysql database. But,
PHP - HTTP Digest Authentication - Understanding Code Help
Hi Everyone,
This is my first time on your website and please excuse if I am asking silly que
Need help with simple code, back and forward buttons.
Basically, I have a set of pages in a folder, which have the title somephrasehere_09.php, somephrase
How to use php and sql to check if values match the ones in a table (for logins)
How would I code it that the script takes two variables that are passed to it (UserID and PIN), and
Parse Error Help
Hello, I got the parse error "Parse error: syntax error, unexpected ',' in register.php on line
How can I uploading Transactional Data from Legacy to New SAP system
Hell Gurus,
I am overwhelmed with questions on how to migrate huge volume of Sales Orders
ScriptManager History and Opera Issue
I am having an issue in opera with the ScriptManager. I have a ScriptManager on a page with history
