Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

grouping within a foreach?
hello all,

I currently have a list of products spit out from my db via a foreach loop. Right

BB_Code error
I'm having a problem with a custom built function and keep getting this error:


Warning: M

how do i display data on a page from mysql
1 - do i use this code at the top of each of my page i wish to only alow access if there as been a s

Progress bar tracking file downloads
Hey guys, was wondering if there was a way to track how far a file has been downloaded. I know there

DataTable Help Required
Hi all I am creating an app that utilises and MS Access back end and queries it quite a bit at vario

md5 is it unique
I know this is most likely one of many simple questions that can be found semi easily. But I'm press

From Header Showing 'Unkown' In Hotmail? Why?
Code: $to = $row_GetID['email_addr'].',sales@mywebaddress.co.uk';
$subject = 'Thank you for you

Having problemswith multithreading and prime numbers
I have an assignment when I'm suppose to do the following:

Write a multithreaded Java, Pt

Auto-populating dropdowns and multiple forms.
Here's what I have so far:

First drop down = select a state (works)
This populates the sec

A WBS element with the name XXX already exists in version FREI_VERSION
Hi.
When I am trying to insert WBS element in a project, error occurs:

"A WBS eleme

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash