Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

php mysql query from input textbox
Hi,

I have a text box, in that i have given the mysql query. I can able to get the query in v

SAP Treasury - Commodities
We are running SAP ECC 6.0 with Treasury Activated.
EA-FIN is also activated (SFW5).

Two warning messages
Quote<b>Warning</b>: mysql_real_escape_string() expects parameter 1 to

How to schedule the a job?
Hi,
I have prepared a task ( i.e. a procedure is prepare the file and send the same to con

Converting RGB values to HEX
Code: <?PHP

$file_handle = fopen("colors/rgb.csv", "r");

wh

echo $rows help
Hi all,

Hopefully something simple that I don't know!

I have this:

Code: [Selec

Just wondering what you think about my site
I am new to phpfreaks i just seen this form and thought it would be cool to see what other thought a

have trouble in a if condition
The if below is working ok, it check when indexes, name, zipcode and state are empty.
Code: &

TimeZoneOffset
Hello,

Please i need your help. I have a system that users can use to punch in and out. This

Displaying data from database into a 2 dimensional table
Good day!

I'm a beginner in PHP and I'm not expecting a full coding for this qestion. I'm jus

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash