Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Asset Transfer from One plant to another within same company code
Hi,

Please advise how to transfer one asset from one plant to another plant within same c

[newb] Image hosting help.
Hey there, I'm new to php, I know some basics and i can code PWN, I'm only 14 but I'm interested in

Uploading files/images via forms
Hey all, I am building a database for work that will contain some minor data on plant species along

Option box to change variable
Hello, i need help by making a script!

I need to write a file with option box, so a dropdown

Inserting a check in checkbox from array value
Hello all,
I have a bit of code that works for a select option box, but does not work for my chec

Struct/union and scope problem!
HI all , I have
Code: in header.h typedef struct Node Link; /* ---------

disabling a button server-side then re-enabling client-side breaks button postback
I have a tabbed container and a button (not in the container) on a page. If the first tab is selecte

Deleting a record php
Attempting to setup delete a record page. The below code I put together doesn't seem to work.

If a record matches an existing record do nothing
So I don't know if I should put this here or in mysql, but what my script is for is for people to ad

a function to check directory depth
I'm working on a php script to upload files in to a set directory.
the user can select to upload

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash