Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

Strange Oracle Query problem
Ok So I have this PHP class that talks to a Javascript class that basically creates a table of infor

using explode() to fill in checkboxes
Hi

I have a field stored in a table that contains regions in the UK separated by commas. Ther

Need help making a script that moves data into acrhive table
Hi,

I'm kinda new to php/mysql

And i wrote a simple script to store sales lead for a b

that old Malformed Headers problem again!!!!! HELP!!!!!!
I've read the http://www.phpfreaks.com/forums/index.php/topic,37442.0.html

I don't think my c

confused between ' ' and " "
there is a php i set:
$begin_date_query = mysql_query( "SELECT SUBDATE(due_date, INTERVAL $d

Is this possible? If one file assigned to an ID...
I have a page that lists property listings assigned to a specific user (a manage page), with brief t

PHP template help
Ok, I don't know if anyone can help me but I am using PHP templates to make a site. I am a newbie an

iterating through an array and escape each value independently.
I have a set up where the variable being escaped is an array and it needs to be iterated and escaped

PHP Directory Listing Not working
Hey Guys,

I need help, I tried a ton of directory listing scripts and they all don't work. Al

Best way to check for end of a record and send it back to the first record
I'm hoping someone can help me out and explain the best way to accomplish this.

What I'm doin

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash