Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

ALV grid with 2 headers
Hi Gurus,

I need to display ALV GRID as below.

Header1

Content-Disposition: attachment; filename=... not working as i thought it should
taken the following code from the php.net site the script is not working.

what is not happeni

Login Control?!
I have a Web Site that uses the login control also I have set the destinationurl to the page I want

ereg_replace in Wordpress
Heya - so I'm working on this site: http://world-of-smiles.theportlandco.com/new-patients

The

How to use Ajax to verify data on a DB ?
Hello everyone, well i want to know how to check a value if it exists or not on a Data base and capt

Get dump of MySQL DB from Live Site
I'm after an easy, but secure way of generating and importing a MySQL dump from a remote server.

PHP url branch??
Functionally, using PHP, I'm doing a test of login input submitted by a user via an html form in a f

tell csv import script to ignore blank rows?
Hi i have the below script but i get an error if a row is blank ie a return in the csv file at the e

Dynamic links in an include file
I am working on a small piece of code that counts records from a database and displays the result to

listing help
Hi,

at first, great new design!!! I like it,

i got a problem,

I want to list so

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash