Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

script and html conflict in trying to create a header.
I have an error is occurring because of an html webpage with a "php require" at the top of

Getting PHP to ammended the selected in option field
Hey Guys

thanks for everyones help so far. This site and its users are oozing awesomness.

Remote Database Access
Hey guys!!

OK, i'm used to only working with databases from the CPANEL, accessing phpMyAdmin

Custom list order
Hi there,

I have checked this tutorial and it's great till the point where I want to display

Variable uses and placement
I'm new to PL/SQL and am trying to learn about variable valid uses/placement (any pointers to any do

Creating a unique 'control panel' for each user
Hi there,

I'm thinking of designing a site that will allow users to sign up and have their ow

Need to write a cookie with a url var
Not sure if its possible, but I need to write a cookie with a url.

So this would write 2232 a

Specific name typed, specific image shown on html page
Hello,

Fairly new to PHP and was curious if someone might know how to solve a fairly simple r

array_diff weirdness
I'm using the following bit of code

$diff = array_diff($pids, $pidlist);
$diff = array_va

Accessing Infotype data in dialog program
Hi All
In Dialog programs attributes I didn't see any logical database field. How can I access

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash