Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

Add 5 to a variable when a button is clicked, and re-run a for loop
So I'm making a feedback sort of section on a website with MySQL and PHP, I've gotten the script to

gettext translates ALWAYS?
I'm using gettext with the new version of XAMPP (5.3.0) on Windows Seven RTM (build 7600)
gettext

Spliting paragraph into sentences and attach in
Here is what I am trying to do

example: Para1[123.456.789!] 3 sentences
Para2

strtotime issue
Hey all,

I'm playing around with some code, and basically the idea is:

Person changes

New to PHP and just trying to understand a little code.
I hope I'm not annoying anyone or breaking the rules but I was wondering about this bit of code righ

dynamic table with forms
I have a table that is populated with mysql data and in teh first column there is a raido button tha

values not being entered into table
hi. I;ve created a form, so that when a user enters data into it, it gets added to a table in a data

if php cookie set, show code...
Hi all.. I need to figure out this little snippet right quick.. seems like it should be easy enough

close site for maintenance
i get a tutorial, saying the following code can put our site offline, and only the developer can vie

Re-Order by ID Number
I have a cms set up for inputting an image, thumb, title, pdf, and eps. When input the database ass

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash