Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Ajax not working on IE 6 for Windows CE
I've created a webpage which uses the classis Ajax in following format:view plaincopy to clipboardpr

How to kill asynchronous postback / current postback?
Hi,here is my problem:I have a web site with many pages of which some may take time to process resul

Does design fit in FPGA ?
Hi all,

I've made a large HCC-Design. Because of the program-size the compile process with th

newbie question
Hi out thereIm totaly new in this forum and to .net and vb so here is a totaly newbie question.I wan

Question about the upload of large files
Hi there,

I have a question about the upload of large files, like videos (files generally abo

Session login issue
I'm wondering how to fix a problem I'm having with a session-based login system

Say I go to h

how to read and write into a word document using php...?
hi,
I need,reading and writting into a word document using php.




Thank u inadva

dynamic table with forms
I have a table that is populated with mysql data and in teh first column there is a raido button tha

Need help: how to catch acess of undefined class properties
Hello. I am learning OO with PHP and have hit a problem.
Some code runs as perfectly valid code,

Problem!
I have another problem, when i run this code i get this error "Parse error: syntax error, unexp

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash