Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Weird problem with SELECT command..Help!
Hi!

It seems I'm having a really weird problem with SQL SELECT command....I have table into a

add 20 000 to the rowcnt
Hi ...
I need to add 20 000 to the row count but just cant find a way to do this i am new to php

"From field" in PHP email form
I used a wizard to create a PHP email form. I was able to customize it with the exception of the Fr

help with variable
I've got a problem, i want to echo some images depending on the $id, however for me to get that id i

Calander layout
Hi i know this sounds like a simple question but i cant find the answer to it anywhere i have added

iMatch stored value with the current value in a loop
Hello,

I have a MySQL db were I store articles in.

I have a form to fill these article

Trouble with a select list
Hello All!
I was wondering if any of you guys could help me with a small problem I'm having!

temporary objects
Until now i thought every temporary object in C++ is created as constant. I'm wondering why my compi

Firefox displaying PHP source code??
Currently testing a site thats almost built, am going to be including php on a sidebar on all pages

PHP - HTTP Digest Authentication - Understanding Code Help
Hi Everyone,

This is my first time on your website and please excuse if I am asking silly que

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash