I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) { $search = array( '@<script[^>]*?>.*?</script>@si', // Strip out javascript ); $output = preg_replace($search, '', $input); return $output; } function sanitize($input) { if (is_array($input)) { foreach($input as $var=>$val) { $output[$var] = sanitize($val); } } else { if (get_magic_quotes_gpc()) { $input = stripslashes($input); } $input = cleanInput($input); $output = mysql_real_escape_string($input); } return $output; } //Define date for entry $date = date("Y-m-d");
// Insert a row of information into the table with function function insert($title, $uid, $desc, $date, $content) { mysql_query("INSERT INTO pageit (title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ") or die(mysql_error()); } // Do the insert with the cleaned data! insert($_title, $_uid, $_desc, $date, $_content); //Done script stuff for now..
