Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

simple ping code
been searchin the site/web and found code thats simple but doesnt work.

I have a personal we

Is it possible to stop reservation creation in PM Order?
Hi All,

Is it possible to stop reservation creation in PM Order?

Thanks in adv

LIMIT $start, 10... how to pass last value queried into next page with GET??
Ok I know how to display the first or last 10 results of a query...

$result = mysql_query(&q

Simple MySQL query...
Hello,
How could I do a mysql query that does this: SELECT * WHERE date/time < 5minutes ag

$variable $variables type question
I need to be able to designate an array element dynamically, so I thought to use a variable variable

TimeZoneOffset
Hello,

Please i need your help. I have a system that users can use to punch in and out. This

2 things: enter doesn't work in IE & empty form
i have this search form that works well except for 2 things.

1) on IE when i hit enter instea

UTL File problem
Hi
I have a file in certain path with the following permissions (The file is a dummy file witho

Form errors in an array
I'm processing a form and putting the errors in an array. empty($errors) doesn't seem to do the tric

SQL query not working well
Hi,
I made a small table with 5 rows and want to make them an sql consult using rownum

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash