Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Problem with coding MySQL query
I'm having heaps of trouble getting one of my PHP/MySQL queries to work for some reason (and the fun

cURL error
So here is my code... I got it off of here... http://www.youtube.com/watch?v=XcgQUsorF_8
Because

problems with php variables in mysql query
i can't seem to get the following query to work.

select $q1c from $vote_rate where id = $re

onClick='location.href=index.htm'> not working
Below is my code:

echo "<input type='button' value='redirect' onClick='location.h

pop3 and fsockopen
So I am able to connect to the pop3 server, log in, and check how many messages there are. I am hav

fwrite error
Hi All,
Does anyone know what is causing the error in this code?

Code: <?
$error

Share admin accross websites
I'm using .net memberships and roles in one of my sites, but I need to be able to share logins and p

Click counter to ignore traffic from search bots
I have a click counter on my site that...well, counts the number of clicks a link gets on the frontp

parse error
On my local machine I keep getting parse error for my footer. When I put it online, it doesn't show

Beginner PHP code help
Hi I'm new to php but if someone could please read the question below and help it would be great.