Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

SAP FICO learning materials
Hi all,
I am new to this world of SAP FICO. I have taken training on SAP FICO, but was wonderin

Default TimeZone
The server I'm working with is hosted in America so all times inserted into the database are coming

Change image filetype on upload?
Hi,
I've got a form which uploads an image to the server.
Is it possible to change the image t

Using system() and bringing back the results
I am aware that you can use system() within PHP to execute system commands, but I was wondering if t

why this query can delete duplicates ?
why this query can delete duplicates ? Anybody can give me the detailed explanation ?

Tha

php email checker
I am having alot of trouble finding info on how to do these email things. I need to do the following

how to get values from $_Post with onchange="form.submit();"?
Hi, I have a form that submit to itself with a file upload field and two other hidden field values.<

Stuck with preg_replace
Hi,

I'm trying to use preg_replace to remove part of the IP address submitted using a form on

How a counter of users ? such as ---> (231 Viewing)
I want to count how many users are actually viewing the page, How is that possible?
Thank you guy

Help with explandable category tree
I have the below query:

SELECT l1.id as lev1_id,l2.id as lev2_id,l3.id as lev3_id,l1.categ

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash