Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Running a cron job through PHP/Apache?!
Hello all,
I have a PHP script which makes a cron file from user input. When i try to run the cro

All possible combinations of Strings from table in PL/SQL
Hi,

I am trying to figure out how to build a list of all possible string combinations fro

Pulling out some result data from MYSQL
Hey Guys,

I've built a PHP page that has a for just imagine something like registration form

pull content
I have an existing page, domain/adverts.php which has a good PR. I've just rebuilt my site and the n

how to query data from website using VC?
I want to query some datum from a website,so I need a program to read data from a .csv file, and ass

PHP Function Page Advice
Hi All, I am quite new to PHP and Javascript but have written an Online Shop (Mainly for Fun and edu

How to validate from 2 possible answers
Hi

I hope somebody can help me with what will probably be really simple, I'm pulling my hair

Alternate messaging
I have 4 strings in MySQL db1

$string1 : Hello
$string2 : Hi
$string3 : Great
$strin

need help in update query
i create a form for update. there are 8 columns in my mysql table. on my main page all the data is r

Login Functionality Working Different on IE
This is an odd one, I have a site which has an admin section. The admin pages unsurprisingly require

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash