Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Add User script "Could not execute query"
This should be an easy script but I can't get it to run. Can someone please help me?

<

i have no idea why this isn't working
Code: <?php
session_start();
include("connect.php");

error_reporting(E

pls clear my confusion
Hi friends,

Pls solve my query .

what is the exact use of Scope Resolution Operator( i

Oracle Connectivity
Hi Every One,

Can we access SAP from oracle database.If it possible then please spec

Quick Question about echo value
Hey guys, I'm trying to get something to show differently in one of my scripts. I'm trying to make

some query on multilingual website
Hi all,

Which is the simplest and easiest method to make a website multilingual,
is it put

private constructor
Hello,

Can we create a constructor as private? If yes, what is the use of it? If no, why can'

Getting number of affected rows in SQLPLUS..
Hi everyone,
I have a shell script where i am invoking sqlplus, running a query and saving t

Email with Attachments in PHP
Hi Friends

How to send email in PHP with attachment.
I know simple mail can be sent with

PHP code needed to get/post form fields and request mysql query results.
I'm new to PHP

I've created an html form to allow the user to request a basic telephone dire

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash