Securing a user input - need some confirmation

Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks

Your Answer:

Login to answer

Other forums

Save username into DB
OkaY so I got my blog to actually save the posts and whatever, all I need now is for it to keep the

Preg_match unknown modifyer
Hello,

Im trying to write a little script for my forums i need to get the reply from my forum

present value of sequence?
Hi

Please help me to find out the present value of sequence?

Thanks

cURL error
So here is my code... I got it off of here... http://www.youtube.com/watch?v=XcgQUsorF_8
Because

What do you call the "token" thing?
You know how some sites have links that run on tokens? Tokens are links that only stay alive for a c

Upload, SSL and more php help
I recently just installed a ssl cert and do i use https for the whole site or just for the checkout.

get url?
how do i get the url of the page i'm currently on, on my website.. i think its get header.. how do i

FILTER_CALLBACK -- Files?
Hi All,

I'm using the php filter functions to validate my form data. For custom filters, I'm

problem with GROUP BY and ORDER BY
i usually use this query to display the last 10 entries from a sql table:

Code: $query = &quo

How to disable direct access to a file
Suppose I've 2 Files. 1.php & 2.php

I don't want anybody to access 2.php directly fr