Sufficient protection from bad input?
Posted on
16th Feb 2014 07:03 pm by
admin
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?
function cleanInput($input) {
$search = array(
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");
//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));
// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..
No comments posted yet
Your Answer:
Login to answer
130 
37 
Other forums
Create a form of 2 numbers input and find the greatest.
Hi, everybody.
I have a homework in my training of php, which ask you to make a form that ask
Basic Forum Tutorial
Hi, I'm new to PHP. I want to build a basic forum for my site using PHP and MySQL. I've searched t
POST into Array problem
Hi Chaps,
I have a repeat region, displaying rows of data: jobid, fromtable, translatorcharge
Getting Subdomain Name With PHP?
I want to grab the subdomain name with PHP so I can generate database queries.
for example my
How would I do "Users not logged in since *** delete them"
I know how I would set this up, and delete the user roughly.
I'll create a table called "Use
session checking in page load
hai all
I have a web site is www.Mryas.com in this my login page is Page1.aspx its co
Parse error: syntax error, unexpected T_ELSEIF in /home/......html/item.php on l
I do not know what is wrong with this. Hope some one can help. I do nto want to post the entire site
cURL error
So here is my code... I got it off of here... http://www.youtube.com/watch?v=XcgQUsorF_8
Because
Echo-ing MySQL content and Keep Formatting?
I have data in my MySQL such as:
QuoteBlah blah
Blah blah
etc
but when i ech
How would I protect......
I have a from, actually, a good amount of forms. How can I make it so you can't type the characters:
