Sufficient protection from bad input?


Posted on 16th Feb 2014 07:03 pm by admin

I am writing a simple script to let people upload 'pages' of their own content, be it simply a few bits of HTML, pictures and whatnot, and recieve their own url.. I've without testing, wrote this part of the script to clean the input, are there major security risks?

function cleanInput($input) {
$search = array(
Did you know?Explore Trending and Topic pages for more stories like this.
'@<script[^>]*?>.*?</script>@si', // Strip out javascript
);
$output = preg_replace($search, '', $input);
return $output;
}
function sanitize($input) {
if (is_array($input)) {
foreach($input as $var=>$val) {
$output[$var] = sanitize($val);
}
}
else {
if (get_magic_quotes_gpc()) {
$input = stripslashes($input);
}
$input = cleanInput($input);
$output = mysql_real_escape_string($input);
}
return $output;
}
//Define date for entry
$date = date("Y-m-d");

//clean input
$_title = sanitize(cleaninput($_POST['title']));
$_uid = sanitize(cleaninput($_POST['uid']));
$_desc = sanitize(cleaninput($_POST['desc']));
$_content = sanitize(cleaninput($_POST['content']));

// Insert a row of information into the table with function
function insert($title, $uid, $desc, $date, $content) {
mysql_query("INSERT INTO pageit
(title, userid, `desc`, dateadded, content) VALUES('"._$title."','".$_uid."','".$_desc."','".$date."','".$_content."') ")
or die(mysql_error());
}
// Do the insert with the cleaned data!
insert($_title, $_uid, $_desc, $date, $_content);
//Done script stuff for now..

No comments posted yet

Your Answer:

Login to answer
130 Like 37 Dislike
Previous forums Next forums
Other forums

PHP / MySQL Associative Multidimensional Array:
Hello.

I have data in a MySQL Table that adheres to the below: (note, no index, could add if

Schedule editor
Hi,

I have a question related to Schedule editor.
If we schedule a BLS for every 30

Simple program to copy files between two computers over the web
I use logmein free and often need to move files between my two computers. Generally, I move the file

WS-Security PL/SQL Forms
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Prod
PL/SQL Release 10.2.0.2.0 - P

need good snippet manager
Hi. as i am coding and learning more, it is becoming difficult to manage code snippets. how you mana

RTF fomatting to email content
Im trying to sen an email with content is picked up from a rtf-file (file_get_contents('*.rtf'). Mai

remove a ; from emails in textarea
Code: <?php

session_start();

$database_host = "localhost&qu

Procedure with variable number of columns
Hi, I have a procedure that looks like this:

PROCEDURE PROC(p_cursor OUT sys_refcurso

Spliting paragraph into sentences and attach in
Here is what I am trying to do

example: Para1[123.456.789!] 3 sentences
Para2

present value of sequence?
Hi

Please help me to find out the present value of sequence?

Thanks

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash