Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Get to know your fellow coder
I think it's time we got personal around here. There's a lot of code swapping and a few members kno

Extra fields in main body and php required.
I'm new to PHP so please be gentle. I have a little php script below that works well.
The &quo

error reporting
hey everyone

I have a production server in which I want error reporting but only on some page

Changes to hosting company's server has affected web contact form
I started a thread a couple of months ago about the contact forms on my client's website. Basically

php forms and database navigatio
Hello,
I'm new to php and i'd like to post the following.
I have written code to get records f

PHP Multiples of 2, Show posts...not working (wordpress)
I have been using this code to show div.example with 6 li columns inside it, each li is a post with

Is there something wrong?
Hi all,

Just a quick question... can someone look at this code and see if something is wrong?

SAP Management Console is blank
Dear All ,

I am facing problem in my des sever suddely in SAP Management Console is blank and

very easy question about SQL info
Hello,
I think that I have a very easy question.
I know how to create a form using php SQL and

Structure Question - One Table or One Table Per Record Set?
I have a web app (mySQL and PHP) which allows people to create an item with up to 200 records which

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash