Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Registration
ok so i have a site where people can register and login which works now thanks to someone on here th

if php cookie set, show code...
Hi all.. I need to figure out this little snippet right quick.. seems like it should be easy enough

help with Get_
ok some how this is not working i am not sure what i am doing wrong here but what this does is when

PO Release Strategy Issue
Hi Experts,

I am facing an issue related to PO release strategy. The details are-
<

PHP - MySQL Fail
My PHP code will only execute the first part of my code...

Code: <?php

sessio

How can I uploading Transactional Data from Legacy to New SAP system
Hell Gurus,

I am overwhelmed with questions on how to migrate huge volume of Sales Orders

Multi image upload
I have a gallery to build and want to build a dynamic upload form to allow for $var number of fields

PHP doesn't send my mail
Hi all, I found this and used it to send mail. Simple contact form with some required fields. The va

Do not allow posting of whitespace
Currently the script below works if the user does not type a name/message, but if i create a whitesp

Hotlinking Picasa as the image folder of a website
Hi there PHP freaks, I would like to create a private album in Picasa to use it as the image folder

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash