Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
php web service error
hey guys,
I'm working on a project requires the use of web services. I've been trying a few tutor
Somebody hacked into my site and changed coding >>> URGENT HELP NEEDED <<<
I am not that much into programming , but somebody is hacking to my site and injecting some kind of
Java API in PHP?
I have an application that we use internally here at the office.
The software company provide
dynamic table with forms
I have a table that is populated with mysql data and in teh first column there is a raido button tha
form help
this doesn't work. i want the form action to go the location.href of the submit button chosen.. how
Getting a variable to work in function params
I have this fuction which is inside a class:
Code: public static function generateEmbedCode($
Function
How can I make this function that once you click the link in the code it takes you to a new page wit
CURL question
i am wondering if it's possible to use multi curl with login something like
login once to web
Character increment
Hi,
I am facing a scenario like above,but in my case i want to show up like Col A,Col B etc..
Help with Password Encoding/Decoding?
Trying to design a "change password" tool. On my signup code I'm using base64_encode, now
