Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Pagination
Hi All,

I think I'm finally getting somewhere with pagination!

I can now submit a quer

Need understanding of this bit of code
Code: <?php
// WHERE clause filters
$arrSQLFilters = array();

//

remove a ; from emails in textarea
Code: <?php

session_start();

$database_host = "localhost&qu

Nested (echoed) php running wrong script
Got a problem with a php website I'm creating.

In a nutshell, the first page is entirely html

quick question
Hi ..

i have a question
how do i set a var so it displays via an echo
Code: $logo = '&a

2 decima places & How to reload my page
Hello There,

How do i put full-stop (.) after second figure from behind? ie if i have 123456

php slowing my site?
Hi all,

I think that one of the reasons that my site doesn't work fast is that the code is ve

What makes a script your own?
If someone finds a login script online, and changes some variable names around and some other minor

Help Ordering Arrays
Hi, I have 3 arrays as shown below.

Code: $users = $this->get_latest_users();
$flir

Redirecting Admin
In my members table, I have a field called "perm" and it's set to zero for all members. Ho