Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
PHP5/Zend 2.0 - Resources
PHP5 Snapshots
http://snaps.php.net/
ZEND 2.0 Feature Overview and Design (PDF File
Error in query: Resource id #4??
hey guys, having a minor (i think) problem here that i havent been able to figure out. long story sh
upload form file types....
Hey all, I am learning PHP and I am writing a script from the W3C Schools tutorials for uploading fi
help with image text
Hi ...
see i need the text of the name and number to start in the center and always be in the
Legal Issues for SAP ERP o ERP in general
Hi experts,
Can someone please help me finding some documentation about legal issues tha
calendar dates and hours compare problem
i have a calendar in wordpress, everything works great except that i can make 2 meetings at the same
How to get exact 3 moths post date from today date using javascript
How to get exact 3 moths post date from today date using javascript
Please help
How to write on database when a link is clicked?
Hi,
I have a list of products in a gridview. When the link is clicked currently it takes to an ext
Deleting a record php
Attempting to setup delete a record page. The below code I put together doesn't seem to work.
can i optmize image to 50% quality before uploading 2 server
Hi there
i have jus written a php program to upload and display images but when i try to uplo
