Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Undefined Variable: PHP_SELF, pls help
Hi,

Im a newbie on PHP / MySQL programming and Im running a script to search one field on my

Apart from cron
I need to run a php file every one hour. Is there any other solution apart from cron job?

Probably Easy, Need help with Check Boxes in PHP Code
hello,

Thanks for looking this over and helping me out. My problem is I have a online store l

DOMDocument
Hello All,

I need to take an XML document, modify some of the nodes in it and then perform a

Is there something wrong?
Hi all,

Just a quick question... can someone look at this code and see if something is wrong?

problem with php server update from mid 2009
Hi,

I have this navigation menu on 2 websites which used to work just fine. After a recent up

Need Reporting Advice
My SQL server doesn't support MS SQL reporting services that comes with SQL Enterprise or Express. T

How to use Substr
I want to check for the word CATEGORY: inside a string which can be CATEGORY: ITEM
and remove the

Passing variables with pagination - iterating through unique id per link
Hi everyone,
I have seen a few topics like this one. Still cant find the specific thing, so I am

Merger of 6 sister companies under one flagship company after go live
Dear Experts,
I need one help regarding Merger of sister companies of same group. currently we

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash