Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Java API in PHP?
I have an application that we use internally here at the office.

The software company provide

download directory onto C drive
I am attempting (if this is possible) to write a routine to automatically dump the contents of a dir

how to export excel file in same server
My first post - php newbie, so appreciate your support.

I'm currently using headers to save w

php automatically escaping single quotes
I'm trying to test out my security a bit and I've noticed that php is escaping my single quotes. For

Syntax error
hi im having a little trobble with this script
-------------------------------------------------

Multithreading design
Hi

I have come up with a Singleton class that manages a pool of database connections. Basical

PHP & Java
Hello,

can PHP code be used inside java code?

Code: <SCRIPT LANGUAGE="Java

Read from a text file after a specific word
Hi all.

I have a text file that looks like the one below.
I know how to open the text fi

COde for a Cc
I'm not receiving $ft as a Cc. Why is that??

$to = "$email";
$headers = "Fr

Pagination
Okay here is the page in question: http://blenderteachings.000a.biz/tutorials.hamishhill.php