Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

bit of help needed
Im about to sort out my registration page for my website by customising a "registration" s

how do i make a string??
hey guys,
can someone please tell me how to put data from the glob function into a string

Data storage spaces in varchar2
Trying to understand what's happening.
I am selecting a value from a table that is defined as c

preg_replace question
Hello!!

I hope someone can help me with preg_replace.

I load two tables from an extern

Insert data in Mysql and move to another page
I'm stuck with this simple problem. I need to insert data in Mysql and then hit submit and move to a

How would I convert this into code using an if statement?
ES equals exam score m equals $mean s equals $total. I already coded my mean and total so I'm not g

Map.php
I am a complete beginner to PHP and am looking for some help with a program I am messing around with

Google Map
I have done Google Map Integration for one my project. But for that we need the "latitude and l

duplicate record notification
In my database, after insertion of records, I want to know if the record inserted is duplicate or no

php form help
Hey,

I use a control file to set my meta tags and titles

Here's an example
Code: &a

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash