Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

mysql UPDATE request not working and driving me crazy!!!
Hi,

I have been stuck on this for ages.

Quite simply I am trying to update my database

Scene graph using Direct3D?
There are several C++ scene graph based packages available for OpenGl, like say OSG,

http://w

IDOC error
Hi, When i send IDOC from ECC system to MII there is no problem ECC side, i says message sent succe

pop3 and fsockopen
So I am able to connect to the pop3 server, log in, and check how many messages there are. I am hav

Wrong Info sent Using $get in form
Hi i have this code that i tried to make to send some info from one page to aother with lots of ppls

How to clone an SAP ECC using bacup tape on z/os?
We want to clone our production to a different SID using backup tape.

Get last modified date of web page
Hai All,

In php how can i get last modified date of a give web page . I have tried to g

Simple code help with redirects
I am trying to figure out a redirect script that detects if the browser is IE 7 and if it does, redi

Generating unique numbers using php
Hi,
I need help in generating unique number using php.I tired using rand() in php.But, by using r

Supress some serveroutput but not all
Hi,

I have a script I'm working on that uses plsql to create and RMAN script, this uses d

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash