Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

fwrite error
Hi All,
Does anyone know what is causing the error in this code?

Code: <?
$error

dinamic "textboxes"?
Ey all, my first post here, i hope its not a hard one

I display mysql results in a table

Firefox displaying PHP source code??
Currently testing a site thats almost built, am going to be including php on a sidebar on all pages

MII Trends - add data onto chart object
Hello,

Can anyone please provide some thoughts on my current requirement:
its pretty

Code Help.. If txt input box empty search X instead..
I am having a problem with my search script. At current it will simply search by a selected date whi

Curl & sessions PLS HELP
Hello,

I have a problem with curl and sessions and i will try to explain the best i could.

form problem
Hi all, I think this is going to be easy to resolve but for I have been looking at it to long and I

Material xxx does not exist in plant xxx
Dear All,

I am working for a steel project which is repetitive manufacturing.

Shopping Cart
Can anyone direct me to a Simple, Basic structure of a shopping cart.
New to classes. I want to s

Add_Months not Easy to Understand
Oracle is number 1, very fast and very easy. But....
OK, I think but have a problem, only 1 pro