Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

start new row of pictures
on my site www.budstreasureauctions.com there is a featured auctions box that users will pay to get

PHP5/Zend 2.0 - Resources
PHP5 Snapshots
http://snaps.php.net/

ZEND 2.0 Feature Overview and Design (PDF File

FTP Programs
Here is a list of commonly suggested FTP Programs to use:

FileZilla
SmartFTP
CuteFTP

RSS poster script?
I have found a script that posts RSS's for me on a site that I'm building. However I would like to a

Login script (probably a simple error)
dbConfig.php
Code: <?
// Replace the variable values below
// with your specific dat

Auto-populating dropdowns and multiple forms.
Here's what I have so far:

First drop down = select a state (works)
This populates the sec

Any help with my email script?
I have an email script, I have not tested it, although someone tested it for me and said it worked f

Chat Box in PHP
I was thinking in doing a Chat Box in PHP. For that I would use a form with two fields, Nick and Mes

filesize problem
i use ubuntu 9.10 and i have mountet a folder from an windows

/mount/FOLDER
/mount/FOLDER/

output_buffering so rewrite
I'm planning to rewrite some of my scripts so they don't have to use output buffering to accomplish

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash