Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Strange php code found on my website
I got hacked and the following code was placed within my files:

Code: [Select]<?
/*

Adding meta tags under Zend FW
Hello there, recently has come to my hands the FTP of a website which is running under Zend, I would

How can you detect variable string in a massive string?
Ok guys, i need some help with this one.

I am going to be getting a large string, like 10-20

Inserting a check in checkbox from array value
Hello all,
I have a bit of code that works for a select option box, but does not work for my chec

mysqli_fetch_assoc returns multiple arrays, how to return a single array
Hello, I am using mysqli_fetch_assoc which is returning multiple rows, so it looks like:

Code

cURL Upload Help
OK, I am creating a bridge from a local program to my website and I am trying to find the best way t

OPINIONS WANTED
This is my login page code, and I want your opinion on it please!

Code: // Login ~ CHECKS

upload image name with extension using php
hi frds..

<input id="file1" type="file" name="file[]" &a

Just wondering what you think about my site
I am new to phpfreaks i just seen this form and thought it would be cool to see what other thought a

CE 7.1 and External GIS integration
Hi All,

We want to develop an application on CE 7.1 which uses GIS features from an exter

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash