Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

present value of sequence?
Hi

Please help me to find out the present value of sequence?

Thanks

temporary objects
Until now i thought every temporary object in C++ is created as constant. I'm wondering why my compi

Change image filetype on upload?
Hi,
I've got a form which uploads an image to the server.
Is it possible to change the image t

Day of week
I am using PHP version 5.0.5
I have a varaible ($DATE (date format yyyy-mm-dd)) that is being inc

Paypal
Hi all,

I have an advanced basic knowledge of php

I want to try something new for a s

Keeping data in form
How can I keep whatever I write in the form?

LinkedList help
Ok so I just learned quickly about lists, so I have a not too hard project I think, but am having a

Help with ORDER BY
Hello. I would like to order by ascending States, then Cities, then Gyms in the following code, but

Confusing Functions
So, I've been reading up on Functions and I like them! However, I need some help using variables in

Reading waves
Hi,

I am trying to find a way of finding the highs and lows on a graph line, the line points

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash