Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

CRM?
I think that's what they're called. Customer Management System? Anyway. Is there any good free ones

Exporting new records
Trying to figure out the best way to set this up.

People register my site.

Their prof

IF STATEMENT HELP
Hi
i have created a calendar from a table:

Code: Calendar: October 2009
<table w

include function being weird?
I have a very simple system to grab an IP outputted by a PHP file.. (for a project I have) but it ou

LinkedList help
Ok so I just learned quickly about lists, so I have a not too hard project I think, but am having a

Checking if variable is 0 as opposed to NULL/Empty...
I'm trying to write some code that will retrieve a user's access level from my database and if it do

Blogging s/w
heya frndz!!! i want to start a blog.... m looking for a s/w like oscommerce which is thr for e-comm

MII Netweaver Server stopped due to CPIC connection Problem
Dear Experts,
We have SAP XMII 12.0 setup running on Netweaver 2004s,7.0, Java Stack only.

problem in program for counting no of chars using pointers
Hi all, I was trying to make a program which counts number of chars in a string using concpt of poin

mysql VARCHAR acting like INT
Hi, All.

I have a table that contains a varchar(10) column named weird_field. In this column

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash