Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Images outside webroot
Im hopeing someone can help me with this because i cant figure it out.I have setup an ASP.NET websit

How to know if online site made with PHP
Hello,
I see some sites that does not display extensions at all , for example:

www.site.co

Referential Integrity problem when inserting into 2 tables at same time
Hello Everyone,

Im relativity new to PHP and MySQL and i have come up against a problem. i h

MS Exchange 2007 integration with ECC 6.0
Hello Experts,
We have ECC 6.0 and MS Exchange 2007. We need to integrate ECC 6 and MS Excha

Pagination won't carry results past page 2.
Hi all,

I've worked out my pagination script and its paginating fine until I click next from

Error when call dll from oracle
Hi all, please help me!

I have dll write C language, I want call it from oracle procedur

Getting Subdomain Name With PHP?
I want to grab the subdomain name with PHP so I can generate database queries.

for example my

Do While statement
hi guys,

This may sound trivial but im new to php and as part of an assignmenti have to const

Add trigger to UpdatePanel programmatically
Hi,I'm working on a website which uses AJAX and Masterpages. What I have is an AJAX UpdatePanel whi

Gerenate tabel in Php
I whant to generate a tabel takeing data from database like this one so the results to be display on

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash