Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Escaped characters
I have a script that allows you to post news to the home page of my site. Along with the news is the

timezone change with date()
so i put all my times for posts in my made from scratch forum(not phpbb3 or sm)
in my mysql db u

Credit card verification
I have a client who wants to process credit card transactions from his web site rather than the goin

Fetching array then reversing it
Hi, I have a simple problem, I'll try to explain it as best I can:
News entries in my database ar

2 decima places & How to reload my page
Hello There,

How do i put full-stop (.) after second figure from behind? ie if i have 123456

Problem Dereferencing
With these types and tables:

CREATE TYPE MANAGER AS OBJECT (
MGR_ID INTEGER,

Character Sets/Collations Stuff
Can someone please give me a check list of things I must do to setup all the charset stuff for my ph

Syntax Help
I'm trying to make a form that edits a php file which contains config settings. I'm using strings t

SAP BCS. BPS
Hi all,

I am seeking reading note on the following in BW

BCS, BPS
ADVANCE

Getting Subdomain Name With PHP?
I want to grab the subdomain name with PHP so I can generate database queries.

for example my