Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

Did you know?Explore Trending and Topic pages for more stories like this.
I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks
No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

quotes changing
hi all

in my content

opening quotes " changes to “

close qu

foreach loop, assistance request
I would like some guidance on the usage of foreach as I try to parse through a large database and wh

Variable Clash
In the past I've had variables clash. For example:

Code: <?php
$c = 5;
$ca

help me, how to find text on an external html site using PHP
Would anyone know how to search an external html file for a work or phrase ?

I was thinking s

set xml path in flash when xml created in memorystream and webrequest
i am creating an xml file using memory stream and i want to load this xml file into the flash on cli

batch file not building to webapps folder
Hello. I just started running Vista :P and can't seem to get my projects deployed. I found out how

need help in update query
hi
i have a dynamic form. i need help in how can i use update query when values from dynamic for

Will this protect from mysql injection?
I do not want anything like DROP TABLE to work or any type of coding..

Heres my code.. is it

empty() error
Why does

Code: empty($USER_ID = $_SESSION["USER_ID"])
create this error...

How to Create a Dynamic table
col1 col2 date1 date2 date3 date4..........
a b v1 v2 v3 v4

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash