Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Problem related to Creation of PDF File?
Hi All,
I am facing a problem related to creation pdf file. when I am creating a pdf file of do

On page view, minus credit
Hello all, please, I need a little help with this script. I am charging one credit (credits can be p

query help
Hi experts.

i have a table rep2 like this
PROD_COD ACCT_NO DUE_DAYS BALANCE

Vertical Alligning - Not working in 1 cell?
<?php

echo "<table id="valign" width="60%" style=

please hep to get values from a table row
can anyone tel me how I can select and get data from one row by pressing an Edit button in that row

Problem with shopcart code
Hello, I am having a bit of trouble being able to add a product to my shopcart. My mysql database i

Variable uses and placement
I'm new to PL/SQL and am trying to learn about variable valid uses/placement (any pointers to any do

TemplatePower & AJAX
Hi all,



I'm currently implementing some AJAX features in my PHP-framework (which is b

User input in to variable
Hi all,

I'm sure this is very easy but I'm having another brain freeze!

At the end of

that old Malformed Headers problem again!!!!! HELP!!!!!!
I've read the http://www.phpfreaks.com/forums/index.php/topic,37442.0.html

I don't think my c

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash