Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

How do I replace any number of character occurences with one occurrence?
How do I replace any number of character occurences with one occurrence?

Let's say I have:

problems with script
I made a small script wich exchanges points in my website:


<?php
session_start

Inserting Data into a MS Access DB using PHP.
As part of my uni course I am doing a placement at a company whom want me to create a client zone fo

Concatenate two strings ???
I have string one $string1 and another $string2.

How to concatenate (add) both of them $str

How can use this array as a key?
Say I have this array for example:


print_r($array);

Prints:
Code: [Select]Array

Include with Parameters
In a particular page I would like to include a file that requires $_GET parameters.

when I go

PHP - HTTP Digest Authentication - Understanding Code Help
Hi Everyone,

This is my first time on your website and please excuse if I am asking silly que

Display a default image
I am trying to display generic image for items that don't have one, but I can't get it to display.

mysql_query returning boolean instead of mysql ressource
Hi,

I seem to have a weird issue with the php command mysql_query. I pass 2 arguments the que

PO Release Strategy Issue
Hi Experts,

I am facing an issue related to PO release strategy. The details are-
<

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash