Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Echo Tweaking help!
HI. I would like to have the output of the entered variables repeat forever, but it's stopping at th

session checking in page load
hai all I have a web site is www.Mryas.com in this my login page is Page1.aspx its co

Onclick problem in Firefox
Hi,
I am using a . It doesn't seem to

rename the file
File.txt

Code: ***DOCUMENT***
..DN:
000044255
..CB:
..SN:
..PY:
2009
..E

Redirecting Admin
In my members table, I have a field called "perm" and it's set to zero for all members. Ho

Upload Code Help
Hi everyone I need some help with a bit of code ive been working with for a while. I am completely s

isset undefined variable
Hi all,

Hope someone can point out the obvious. I've a log in script, if you dont enter a use

Is STL important?
I'm just starting programming and I've made it until the Standart Template Library. But the chapter

BB_Code error
I'm having a problem with a custom built function and keep getting this error:


Warning: M

FAGL_FC_TRANSLATION FAS52 New GL ECC 6.0
Hello,

The new program for Translating GL Balances (FAS 52) gives the option to use diffe

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash