Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

Did you know?Explore Trending and Topic pages for more stories like this.
I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks
No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

Need PHP help... have all the elements... just need help putting them together :
Hey Guys,

I was wondering if someone could help me. I am doing a website for a client which

single values into sql field
i have a form which i want the user to able to select multiple answers. But i want the answers to be

pop3 and fsockopen
So I am able to connect to the pop3 server, log in, and check how many messages there are. I am hav

Posting Serialized Data Not Working
I am trying to send an object from one PHP file to another using POST. I serialize the object and th

the problem with str_replace
$str="hahahahahahahahahahahahahaha";
$nn=1;
$str=str_replace('ha','MyGod',$str,$nn);

Update Myspace status with CURL
Logging in:

Code: <?php

class Myspace
{
function login($username, $pa

Mastering Regular Expressions, Third Edition, is available.
The Third Edition of Mastering Regular Expressions is available.

QuoteThis third edition is 5

Need some ideas as to how to go about sorting this array...
Here's how the array's are created..

Code: <?php
while ($x = readdir($dp)) {

PHP code needed to get/post form fields and request mysql query results.
I'm new to PHP

I've created an html form to allow the user to request a basic telephone dire

I am stumped
OK. Here is what I am trying to do. I have the conditions set, and if the conditions are met, I want

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash