Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Search in the PHP Files
have to search asterisk(*) in the php code of the php files .
In the html page one text box

GIS appliction help
I found some tutorials in the internet to develop a map application I don't want to use google maps

PHP url branch??
Functionally, using PHP, I'm doing a test of login input submitted by a user via an html form in a f

str_replace help
Hey there,

I'm a PHP newb, I'm having troubles with the str_replace function. I want to clean

extract data
Code: <div class="post hentry uncustomized-post-template">

How can I get my program to read a larger array ??
Hi:

I have this program that reads from an array to do calculations. The array are just t

More pug propaganda.
http://www.youtube.com/watch?v=8Kkrmubsgf8

The commercial is definitely worth watching pug aw

Why is my row count 0?
Here's the MySQL query i'm running. It basically pulls data from 2 tables based on some data passed.

PHP friend keyword equivalent
is there a PHP equivalent for the C++ friend keyword?

Remove Rows From Database ad
Hi All,

I have this:

Code: [Select]<?php
session_start();
include('../com

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash