Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

function not returning the correct value
I have a program that needs to return a value from a function. I have an output statement inside the

Require select-option functionality in Module Pool Programming
Hi Gurus,

I am doing a development by Module Pool on Warehouse Management. For that devel

Help me with some material on Open Text Overview.
Hi Experts,
Please help me out with some material on Open Text. I have been supporting AP Workf

'210010106140040100' == '210010106140040101'
Debugging this simple line of a PHP script

Code: if($a == $b){ }
I've found that with val

login and redirect
hello! can someone help me.. can you give me an idea.. I want to make a login page and redirects it

Login Script Issues
I am using a script I got from http://phpsense.com/php/php-login-script.html in order to allow peopl

Gridview Not updating in Update Panel
I have a gridview, three dropdown list boxes, and a button on my form. What is displayed in the gri

cURL Sending File as Post
This is a bit complicated, I'm just hoping someone else has run into this and knows how to do it a d

error reporting
hey everyone

I have a production server in which I want error reporting but only on some page

Warning: mysql_num_rows() expects parameter 1
When i add quote at the end of this link
example:http://localhost/articlemania/category.php?cid=3

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash