Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

mysql VARCHAR acting like INT
Hi, All.

I have a table that contains a varchar(10) column named weird_field. In this column

javascript in php code causes page to display white
Hi All,

Odd one this, I've got the following code (below) which is a simple log in form. The

PHP FTP connect doesn't work with correct login
Hi!

i am working on this test code:
Quote<?php

$ftp_ser

Problems with returning true or false in eval()'d code
Hi guys,

Would appreciate some help with a problem when running eval() on a function that sho

Hashing?
Hi, I was hoping to take a string value then convert it - consistently - across each of our pages in

Update Myspace status with CURL
Logging in:

Code: <?php

class Myspace
{
function login($username, $pa

Hits this week counter
I have a counter on my site that tracks hits, IP's, etc. into a mySQL database. It also includes the

Need understanding of this bit of code
Code: <?php
// WHERE clause filters
$arrSQLFilters = array();

//

Shuffle Array
Hi,

I am writing a script for a game that needs players to randomly be assigned a target (ano

Sending a hyperlink through mail
HI all,
I am sending a mail to outlook mailbox of a user using FM SO_NEW_DOCUMENT_ATT_S