Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Check premium expire
Hi,
I am making a simple file hosting site and want to check if users premium subscriptions h
Linked Keywords
I am trying to get a script that makes my predefined keyword converted to links and / or converted t
empty() error
Why does
Code: empty($USER_ID = $_SESSION["USER_ID"])
create this error...
rdns with php
I am trying to build a script that will show all of the different domains that are hosted on the sam
Hotlinking Picasa as the image folder of a website
Hi there PHP freaks, I would like to create a private album in Picasa to use it as the image folder
Help on query replacing the date
Hi Pals,
i want to replace the current date in a column to some value say C or D or any n
Extract specific information from a PHP Multidimensional Array
Howdy! I've racked my brain over this for 24 hours now. I think it's time I asked for help. I'm lear
Add_Months not Easy to Understand
Oracle is number 1, very fast and very easy. But....
OK, I think but have a problem, only 1 pro
Is it possible to view php source code??
Hi All
I was just wondering if it's possible to view a websites php source code?
I know
Alterar a hora do servidor
Se alguém souber, ajude-me a adicionar 6 horas, obrigado
<tr>
&
