Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

PHP switch function help
Hi, I am trying to create a search function for a directory website. On the search function on html

'grab_files', multiple extension?
hey guys,

can anyone suggest a way to make to following line of code look for files with more

Module pool selction screen parameters combination logic
Hi floks,
Am new to the module pool development ,Recently i have created one program based on

MS Access data into a html table
Hi everyone, I am quite a novice at php but I have created some helpful scripts that fetch data
f

[function.file]: failed to open stream: No such file or directory
Okay I wrote this little script to upload a csv file that is located on my webhosts server to a mysq

output_buffering so rewrite
I'm planning to rewrite some of my scripts so they don't have to use output buffering to accomplish

Multiple upload and Resize
I would like some help on my script I have the for my index.php

////

<html&

Stopping page post back
I have few literal contriols in my page and a repeater too. But inspite of using update panel, postb

PHP friend keyword equivalent
is there a PHP equivalent for the C++ friend keyword?

php forms and database navigatio
Hello,
I'm new to php and i'd like to post the following.
I have written code to get records f

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash