Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Strange array issue, never happened before.
mysql_fetch_array returns 1 array per call. Generally that's why it is inserted into a while statem

Why do I get this error?
Error:

Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or

Cant display mysql data
Hey all,

I am learning php and my first goal is to create a simple CMS. At the moment I am st

question about header() security
is is safe to just use the header() function to redirect someone if they are, say, not logged in? or

Could Someone Please Debug This?
I was wondering if someone could debug this script for me. I realize it's not the tidest script (and

Binding 2 UDP sockets on same port, connected to different destinations, 1 receives
Hello,
My application wants to send/recv data to 2 different UDP ports on a remote computer, us

Embedding flash object in Else statement
This is my first major project in PHP and I'm having some trouble embedding a flash object in an Els

str_replace help
I am thinking str_replace is my only option to filter outputs from my database to convert them to sa

MySQL-PHP Query Results Help
Hello all. I'm hoping to be able to get some help in solving a problem with query/rowcount output. I

PHP loop
Okay so I have several "articles" stored in a mysql database and am attempting to echo tho

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash