Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Update Database
Hi All,


I have a problem with this:

Code: [Select]<?php
session_start();

big pagination problem in php
<?php

$connect = mysql_connect("localhost", "root", "")

New Search Engine problem
Hey everyone,

I have a ZIP Code Radius search engine already functional. it displays all of t

Mail from PHP form not always ending up in my inbox?
Hi guys,

I'm a real newbie to PHP and have managed to put together a simple mail form that se

PHP switch function help
Hi, I am trying to create a search function for a directory website. On the search function on html

Points for Wiki contribution
Hi everyone,

I want to know how long does it take for the moderator to award points for a

Using system() and bringing back the results
I am aware that you can use system() within PHP to execute system commands, but I was wondering if t

Problem with HTTP Caching...?
Hi there, im trying to implement caching. But it doesn't always work.
I post it here because ther

pull content
I have an existing page, domain/adverts.php which has a good PR. I've just rebuilt my site and the n

UDP server recvfrom() always returns -1? :(
Hello all,
I am getting a very strange error in my code :( I am writing a server application in C

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash