Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

upload image name with extension using php
hi frds..

<input id="file1" type="file" name="file[]" &a

Preloading images
Posting this question here because I am not sure where this should belong.I am building an asp.net a

Members Only
Hi all, for my website i have a members area only which on members can veiw, but at the moment anyon

mod_rewrite.c on windows ??
why it's not working on windows while it's working on other hosts???

this is the code i got

PHP XML extraction text
I would like to extract an xml text and have that text directly echo(print) out on my web page. Her

PHP url branch??
Functionally, using PHP, I'm doing a test of login input submitted by a user via an html form in a f

Display a default image
I am trying to display generic image for items that don't have one, but I can't get it to display.

Placing and array within an array then sorting it!
I have a page that runs two large mysql queries and saves the results into arrays, in php I then per

check_changed_data - I can't get data from the called method event
I use check_changed_data to trigger my event method.

The method delivers er_changed_data.

error reporting
hey everyone

I have a production server in which I want error reporting but only on some page

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash