Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Help Import Animoto and Youtube
CAn someone help me urgently want to allow users on my website to import youtube/revver/dailymotion

Pass sql into pl/sql and create RMAN duplicate script.
Hi,

I'm new to pl/sql and I'm trying to write a script that will generate some RMAN comma

PHP File Upload Problem
Hi, I have written a very simple file upload script but it fails for reasons I can't explain. Hope

single values into sql field
i have a form which i want the user to able to select multiple answers. But i want the answers to be

standard ALV application toolbar, into custom report....
HI,

I have a question regarding displaying standard ALV menu path and application toolbar

trouble printing an array....
I'm having some trouble printing out an array forwards. I'm figuring out the high and low of an arra

Material xxx does not exist in plant xxx
Dear All,

I am working for a steel project which is repetitive manufacturing.

Comma seperated implode & modifying returned string.
I have a PHP post form that posts up to 4 variables. I need whatever variables are passed to be comb

Working with popups and such in a class
I've recently started building my applications completely enclosed in classes. I like the fact that

Date help - fetch dates for Mondays between xxx and yyy?
Does anyone know the best way to do this? I have two dates, say:

2010-01-26 and 2010-05-30

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash