Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Using the $_GET variable to view certain records
Hello,

First let me explain my problem, I have 2 pages the first page pull a list of Guide ti

How to use Ajax to verify data on a DB ?
Hello everyone, well i want to know how to check a value if it exists or not on a Data base and capt

Calculating n! using vector
#include
#include
#include

using

mysql VARCHAR acting like INT
Hi, All.

I have a table that contains a varchar(10) column named weird_field. In this column

Accept only alpha characters
I've got this bit of code ready for accepting a phrase:

Code: if (!eregi ("", $_POS

Request-URI Too Large
I have created a simple submit form for a mysql database that puts a piece of code into database.<

upload only text files
hi guys i want to upload only text like like (pdf,note pad and ofiice files) so can any one please t

Is STL important?
I'm just starting programming and I've made it until the Standart Template Library. But the chapter

Help with simple query
Hi,

I'm trying to do a Query with a Union where I want to print the number of rows $tc conta

Please Help my PHP Dating Function.
Hi everyone!

Well here is my code that displays this:

It works wonderful.