Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

onclick problem
I have <input type="text" name="message">
<a href=page2.

How to grab certain words ??
I am working with this API

Returns JSON.
curl http://letsbetrends.com/api/current_trends

Header is not working in IE
Hi ! header function is not working in IE but it works in FF, Safari, Chrome. any help please. :

standard ALV application toolbar, into custom report....
HI,

I have a question regarding displaying standard ALV menu path and application toolbar

getting rid of quotes in strings
sick of trying to deal with them in multiple ways (entering in and taking from database, echoing, ec

Multiple Dropdown Selections
I have a form that let's a user insert a page with the ability to select categories. I want them to

Search with relational database
Hey,

I have quite a complicated (for me anyway ) relational database for an apartments syste

How to add functionality to a simple php calender?
Hello everyone,

I have just finished creating a simple php calander. Can someone point

does anyone know a php script to send mail using gmails/googles free smtp server
cause i heard u can do that but i dont know how

C problem struct and string
Hi guys,

This is my first post and I'm hoping the experts here can help me solve my problem.<

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash