Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

MySQL noob question
hi guys

I have a simple mysql table set up, along the lines of

Col 1 - Col 2 - Date_l

Syntax error
hi im having a little trobble with this script
-------------------------------------------------

the problem with str_replace
$str="hahahahahahahahahahahahahaha";
$nn=1;
$str=str_replace('ha','MyGod',$str,$nn);

HELP with mysql_real_escape_string
I'm looking to remove apostrophes completely when someone enters lyrics but don't have a clue how to

Query output more than expected
$query=mysql_query("SELECT * FROM players, communities, divisions WHERE dob BETWEEN '{$start_da

regex for quoted text within a string
I am still getting the hang of regex expressions, but I cant seem to figure out how I would escape q

what business processes?
Hi,

A general question. What business processes (like OTC - Order to Cach, P2P, R2R etc)

problem in pagination when processing with selectbox form
Hi,

I have a search form, with select boxes, if am selecting the value from the form, it work

Search in the PHP Files
have to search asterisk(*) in the php code of the php files .
In the html page one text box

having probem inserting data into db table
hi

i have a table with following columns in it
Code: candidate_id, degree, cgpa, institute

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash