Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

Chat Box in PHP
I was thinking in doing a Chat Box in PHP. For that I would use a form with two fields, Nick and Mes

Sufficient protection from bad input?
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few b

ereg_replace issue
hi there people

i have this code happening with regards to my wamp server. is this something

IMAGE - SERVER SIDE scripting help...
How to receive pixel data of an image and buid a bitmap file on the server using the HTTP POST metho

Save cookie to DB
I'm working on a pixel tracking script for an incentive website and I need to use an ASP script to s

parsing error
can anyone explain this syntax error:

Parse error: syntax error, unexpected T_IF

The e

Curly Bracket Delimeters.
I'd always believed that the starting and ending delimeters in preg_ functions had to be the same ch

Opening Multiple Files/Links in Order.
I want to open links in order/one-by-one and check each for a specific string.

Example:
I

php require help needed
Ok i tried to use the search funtion but the word require is everywhere.

i'm really new to cr

Inserting the current date/time while submitting the forum
What do I need to add below to update the current date/time? I have a field in the database called d

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash