Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Parse Error with doctype
I'm getting a parse error with this simple code. I don't get it. It worked one time then when I relo
Error in SQL Syntax HELP!!!
I have this page:
Code: <?php
session_start();
//connect to server and s
trim function issues
Hi guys, total noob here...
So I've been tinkering around with a html and am using php to em
URL Rewrite issue
Im created a series of Rewrites and on page checks to make sure the correct url is being called. But
Undefined offset when using a flat file with pipe symbols
Hi, I've got a flat file/text file which I'm currently using as a member database for my site (not a
mysql VARCHAR acting like INT
Hi, All.
I have a table that contains a varchar(10) column named weird_field. In this column
Call to undefined function mysql_fetch_accoc()
New to php/mysql coding. What's wrong with this sequence, or am I
just not seeing to obvious?Could Someone Please Debug This?
I was wondering if someone could debug this script for me. I realize it's not the tidest script (and
Count on multidimensional array
Hi, i got an array as below:
Array
(
=> Array
(
Using unserialize()
Hi there.
I have some data in my database that is serialized.
e.g.
a:2:{i:0
