Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

IF STATEMENT HELP
Hi
i have created a calendar from a table:

Code: Calendar: October 2009
<table w

Significance of BPM
Hi Experts,
I am a novice in BPM , I just want to know how BPM as permenant department is

Intrastat Report Config in ECC 6.0 - goods Movement in EU countries
Colleagues, need ur help to understand the changes require in ECC 6 standard Report configuration se

PHP hyperlinks generator - HELP plz
Hi

I need some help to get this done using php:


1 - I have few hyperlinks say 500

My XSRF Prevention code isn't working
First of all, thanks for the generous help you guys have given me in the past on this forum.
Seco

Typedef struct vs just struct
Anyone know the rationale for using typedef for structs when a struct is itself a typedef? I have s

Session problem?!?
Hello All! I am very new to the php world but I am working on fixing things that a previous programm

Header is not working in IE
Hi ! header function is not working in IE but it works in FF, Safari, Chrome. any help please. :

Array help
Hello i got this code to fetch data from database but it is not working it displays
7
Array

uploading video files into mysql in php
hi,
I have the video files which i have to upload into mysql db. along with creating thumbnails f

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash