Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

phpmailer class & pop.gmail.com?
Code: <?php
$mail->IsSMTP();
$mail->Host = "pop.gmail.com";

Why does my php page download images over and over
Can anybody please explain to me why my php page keeps downloading the images and other items every

HTML Form Server Side Validation
Hi, Im new here, im currently doing a website for a friend, and I have designed using snippets from

How to make a input/output field with multiple lines
Hello.
I put a input/output field on the screen but I could not change height of it. I need to

Serial number of exernal hard disk/Thumbdrive
Hi guys, I am new tio java networking concepts.Please tel me how to get Serial number of exernal

Spaghetti Code
So.

I've pretty much reached the point where I have so many isset s on one page that I can't

difference between datetimes
($row['totime']-$row['fromtime'])/60

this is giving me 0

example of totime and fromtim

SESSION CHECK WORKS "MOST" of the time... whats going on?
i have a sign in check thats included in every page that is a members only page which is basically a

Any decent php formatter/beautifier/pretty printer?
Any decent php formatter/beautifier/pretty printer class/function?

I found the following whil

onclick problem
I have <input type="text" name="message">
<a href=page2.

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash