Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

IIS7 and getimagesize() problem
I have just discovered after hrs of trying to fix a problem where it's coming from. It's to do with

echo $rows help
Hi all,

Hopefully something simple that I don't know!

I have this:

Code: [Selec

Query output more than expected
$query=mysql_query("SELECT * FROM players, communities, divisions WHERE dob BETWEEN '{$start_da

multipart emiail forms
Hi All,

I am new to the boards and I've been working on a form (which is rather massive, imo

Good Programming and Web Design Books
Hi,

I recived a pm today from a fellow phpfreaker regarding php books, i replied with the fo

Preg_match with an array
is there an away to use preg_match with an array?

i want to check a string with an array to s

Images outside webroot
Im hopeing someone can help me with this because i cant figure it out.I have setup an ASP.NET websit

User feedback after MySQL query has been executed
Hi all, I've just registered on PHPFreaks because I've got a question that I simply can't work out b

Must-Know Topics of PHP
Can you guys list the must-know topics of PHP. I am still a learner and I am trying to cover most of

DBCA Templates
Hi all,

I'm working on creating a template for DBCA, but can't find any documentation on the