Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

Did you know?Explore Trending and Topic pages for more stories like this.
I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks
No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

Dynamic Data + Sql Server 2005 Enterprise?
Hi! I have just started to learn ASP.NET, and it looks like it is quite a lot to learn. Im not reall

distinct rows
Hi
version 10.2.0.3

I have a query output something like the following

ID

Problem writing URL into database
How would I write this into the database?

<?php echo "http://".$_SERVER['SER

How do I know when getBounds Method is ready to be called.
I have an application that changes out stylesheets client side. Once I change stylesheet the browse

Lack of simpleXML Documentation
What is up with this.

Look at: http://www.php.net/manual/en/function.simplexml-load-file.php<

How to display random record from table?
I have the following code:

Code: <?php
$display_block .= "<input type=

this code is not working????
it says this error.. Warning: Division by zero in ..

the variables are correct, so why is th

type check while uploading
Hi Everyone,

How can I check the exact type of a file while uploading on my site?

Here

Sub-domains & calling unique content
Hello,

Is there a way use something similar to the $_GET function for a sub-domain? I to be a

Do While statement
hi guys,

This may sound trivial but im new to php and as part of an assignmenti have to const

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash