Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

How to clone an SAP ECC using bacup tape on z/os?
We want to clone our production to a different SID using backup tape.

Preventing SQL Injection
I have a question about SQL Injection, In some of our code we use this: view plaincopy to clipboa

PHP Game
hy i was wondering what's the best method in order to make some automatic updates in a php game
<

captcha error
I have been trying to implement a captcha in php...

here is the code..
Code: (php) [Select

Procedure with variable number of columns
Hi, I have a procedure that looks like this:

PROCEDURE PROC(p_cursor OUT sys_refcurso

modifying query string with no page refresh
Hi everybody,
I've tried to get info about my problem all over the internet but i didn't find out

Slow data retrieval which requires improvement..please help
I am working on a Help Desk Ticketing system and have a page called MY TICKETS which shows all ticke

How to extract/download content from HTTPS page?
Hello to all the Members of this forum, Im Shoiab, A novice programmer in php.. for my first job I h

Error when call dll from oracle
Hi all, please help me!

I have dll write C language, I want call it from oracle procedur

Problem with a select distinct
I have a problema with a select distinct, I have the next sql:

select distinct a,b,c,d fr

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash