Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Automatic Webpage ??
I have a page www.mysite.com/test.php with a
<form>
<textarea name=&q

PHP error. Need help urgently
Hi,

I am programming a php site and have a problem that i just cant find out how to fix. When

login to other site by sending post variables
hey,

here is my problem: my school gave me a mail account for school-stuff use. they mail us

Date Question
I'm using the TIMESTAMP() function within mysql to set the date/time for certain events. However, ho

setcookie and isset($_COOKIE(name)) seem very finnicky.
I'm currently playing around with a user system with login and registration. I'm trying to use cooki

Check Date/Time in PHP
What I need the code to check is that $reQuest is 24 hours in the past then return a time based on h

Saving PHP output as a file
I wondered if anyone knows how to save the rendered output of a PHP script as a file?

I have

Multi Level Array Problem
hi all,

For example I have array like below:

$temp = array(array('north america', 'us'

Undefined offset when using a flat file with pipe symbols
Hi, I've got a flat file/text file which I'm currently using as a member database for my site (not a

Calling All PHPFREAKS Blackberry Users
Are you a member of PHPFreaks and have a blackberry? Well RIM just recently released Blackberry Mes

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash