Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
UTL File problem
Hi
I have a file in certain path with the following permissions (The file is a dummy file witho
Form always sends to error page...
Hello,
Any help will be greatly appreciated. I am having trouble getting multiple fields to be re
couldn't connect to your database
Hello I am new to php mysql
Actually i have read A tutorial on nettuts
"http://net.tu
PHP / MySQL Associative Multidimensional Array:
Hello.
I have data in a MySQL Table that adheres to the below: (note, no index, could add if
i need help with php header and footer
I have designed a header and footer for my site and they seem to be ok when they are running individ
BAPI BBP_INB_DELIVERY_CREATE - material number missing in delivery
Hi Experts,
I was able to successfully create an Inbound delivery with reference to a PO
How to read CSS message data
Hi,
I have a requirement here. When working as a Dev angel for multiple customers its really di
Question about GD library
I am trying to make an image that shows a random quote from my database.
However I want t
Image resize
Hi again fellers
I managed to sort out the issues with the folder,
Final hurdle is th
my sql select id and then update problem.
I need to select some auto incremented ids out of a database and then use those id in a where statem
