Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Help If user voted, block them
On my Prayer request site, i let users Click a button to Pray for somone that has posted a pray, i g

str_replace help
Hey there,

I'm a PHP newb, I'm having troubles with the str_replace function. I want to clean

My query is being run with no results.
I have this.

Code: function DropUser($duser_id, $user_email, $user_username) {

PHP MySQL and DATE
Hi everyone

I have a databse and in one of the columns I have date values such as 2009-March-

replacements
I have a variable in my PHP script like

ASSFDDDDDDDDDDDDDASDDDDDDDDARYTRHKKHHHHHHHHHHH and p

Populate drop down list from table??
Lets say for arguments sake that i have a table which contains the numbers 1 to 10.
How can i get

Need help making a blockquote and line items conditional
I have some code I bought a few years ago that allows my clients to update content on their site usi

query help
Hi experts.

i have a table rep2 like this
PROD_COD ACCT_NO DUE_DAYS BALANCE

mail with attachment problems
Hi. I have the following code:
Code: else if(file_exists("site".$timp.".zip")

SAP Project Module
I have seen in the SAP Project Module,plan cost and budget are not equal and even difference is sign