Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Just wondering what you think about my site
I am new to phpfreaks i just seen this form and thought it would be cool to see what other thought a

Help With editting and deleting form
Hallo !!

So look at this image :

http://img194.imageshack.us/img194/8272/snapshot5f.pn

Adding Different Numbers From MySQL
Basically I have a mysql database with a couple prices as the following:

9.99
9.99
9.99

Allegro crashes when running load_bitmap. Why?
I can not get Allegro to load any BMP images. Here is a section of test code. The picture is in the

phpmailer class & pop.gmail.com?
Code: <?php
$mail->IsSMTP();
$mail->Host = "pop.gmail.com";

does anyone know a php script to send mail using gmails/googles free smtp server
cause i heard u can do that but i dont know how

Creating a custom API
I'm creating a site, and I need to create a basic API. Unfortunately I have no idea where to start.

Basic Question Regarding PHP Includes
Hi

Just starting out with PHP.

Working on a site that uses some basic includes, these

downloading a file as HTML
Hi.
I'm rather confused with forcing a download. I just want to save dynamic content (from $_SESS

Mysterious Timeouts
I've deployed a few simple AJAX-enabled web page to a local server that is accessed through the Inte

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash