Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Insert numbers from Barcode scanner into online php page
I have a real big problem, Here is what I'm trying to do. I have a Intermec CN3 handheld computer th

Just cannot get 'area' to submit to db using same php code as already used
Basically all i have done is just modified some code and added an area section.
The form is allre

How do i do multi uploads?.
Hey i would like to do this : http://hosting.mrkrabz.net/

I've got the base down you can uplo

Customizing message/behavior
Hi,I'm using the ASP.NET membership/authorization controls in my application. Some parts of my appli

How to set pass login name from htaccess to php
When the user logs into my members page via htaccess, I'd like to retain the username so that I can

pagination numbering pattern
Hello,

I have following code which works great for pagination. but i have small issue now.

php calculate
this code echoes correctly the sum but the inserted result is 0??
Code: <?php
$TotalNum

phph within href not showing php if change ? to &
Code: [Select]<a href="<?php echo $puser; ?>?m=<?php=(($m-1)&l

for some reason mysql query not working, not inserting, please check it out
This code is not inserting anything into my db, don't know why, the $_SESSION variable does contain

limit string by words??
hello all,

I was wonder if there is a function to limit a string by the number of words inste

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash