Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Generate multilayered array from string.
ok so i have a string that looks like this:
Code: blog:edit_all,delete_all|users:edit_all,delete_

Simple AND question
Hello,

I've got following code:

Code: if(strpos($row[13],"http://")

Displaying Multidimensional Arrays...about to put my head in a vice, PLEASE HELP
I am fairly new to PHP and MySQL and I have a problem which I have been trying to resolve for days.

Printer configuration
Hi All,
Suppose one of the user deleted the printer settings unfortunatly ,then what is the pro

Implementing Single Sign-On using SAML 1.1, x.509, LDAP in C#.net
Hi, I got a requirement from the client i.e implementing single sing on using SAML 1.1( LDAP &

Populate drop down list from table??
Lets say for arguments sake that i have a table which contains the numbers 1 to 10.
How can i get

Create comparison matrix?
I want to create a comparison script for forum software and was wondering is there any tutorial or b

OPINIONS WANTED
This is my login page code, and I want your opinion on it please!

Code: // Login ~ CHECKS

Strange php code found on my website
I got hacked and the following code was placed within my files:

Code: [Select]<?
/*

Unifying logins of two different scripts
I have two different game scripts which I want to embed on my own site. The problem is I don't want

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash