Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

PEAR in appliactiond development
When I was picking up PHP I went from procedural programming, fairly quickly into OOP, then after wr

How can i steam a video on my PHP site? (non YouTube)
Basically I have a PHP site and don't want to give page rank to YouTube. I just want to stream a bas

does anyone know a php script to send mail using gmails/googles free smtp server
cause i heard u can do that but i dont know how

Retail terminologys not been altered after activing Retail System
Hi, All

After I active Retail System via TCode SWF5, the terms does not been changed, th

keeps going back to index.html ???????
ok so i started making my site using mostly.html files now i have added a fair chunk of php. My inde

How to replace search button with link?
hi to everbody.
i have a search submit form and button like this :

<form id="f

Website Direction...
I recently used this code to try and make it so the page loads as http://www.domain.com/ when you ty

Creating a db with a query
Hello everyone.
I'm having troubles creating a db with a query.
I'm reading a book called PHP

query help
Hi experts.

i have a table rep2 like this
PROD_COD ACCT_NO DUE_DAYS BALANCE

shoping cart issues
i´ve wrote this and works when i add an item to, my cart, but when i want to add othrer item just

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash