Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

SQl num_rows problem
when i try to count rows from an SQL select i get an warning

Code: [Select]$countviews = mysq

reorder sql query
ok so i have this very simple code:
Code: $query = "SELECT search_keywords, COUNT(search_key

What are the two different files you download to update kernel?
What are the two different files you download to update kernel?

Cannot Connect to Database
I am writing an application to do annual reviews. I cannot get my script to work. Whenever it runs I

restricting another login once you logout
Hello,

how can I restrict a page from login authenticating against info in a MySQL DB for a s

Snapshot from video
anyone knw how to make a snapshot maker from avi n mkv format.
for example if i give a direct lin

PHP page loading in Firefox but not in IE
hello,

i am currently doing a project in PHP and i have a problem. If I view the project in M

turning an array into a string then poping it into a db
Hi im just wondering how you get a requested array into a single string then pop it into the db so f

PHP & Images [Resize, Crop, Save]
Hey! Well I have a little dilema, hoping I could find some guidance.

I have a CMS and on the

Warning: session_start() headers already sent error - Driving me Nuts!
I am trying my sister in laws site and I keep getting an error with my coding. I am more of a design

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash