Securing a user input - need some confirmation


Posted on 16th Feb 2014 07:03 pm by admin

Hello All,

I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around.

Did you know?Explore Trending and Topic pages for more stories like this.
I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*.

I am using this code:

$term=preg_replace('/[^a-zA-Z0-9s]/', "", $term);

...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again.

Can you confirm this, or is there something that I am missing?


Many thanks
No comments posted yet

Your Answer:

Login to answer
217 Like 28 Dislike
Previous forums Next forums
Other forums

Inserting multiple records from single form
I've found a number of threads that deal with this issue, but I'm new to php and coding language so

Sufficient protection from bad input?
I am writing a simple script to let people upload 'pages' of their own content, be it simply a few b

Delete Client 066 Earlywatch
Hi all,

in former times client earlywatch was required for SAPs remote access to SAP inst

using a loop help
Hi guys , i need some help. I have this loop :
while ($row = mysql_fetch_assoc($Result)) { ?&

Problem with DB connection
Hello there! I'm new to this forum and I'm new to PHP coding also. I wrote something that doesn't ma

simple ping code
been searchin the site/web and found code thats simple but doesnt work.

I have a personal we

Values disappear from my array :( HELP!
hey all, I have a lil mysql/php/apache script that queries a database
and pulls put 5 integers.

Sort Alternative/bi-monthly
Hi all,

Am going mad trying to get something to work.

I'm creating a CMS for a magazi

how to timeout $doc = new DOMDocument()->load($url)
I am currently using this $doc->load($url) to fetch an rss feed.
If a feed takes long than

Splitting Attributes
SQL> SELECT I_NAME, substr(I_NAME,1,instr(I_NAME,'O')) "First part",

substr(I_NAME, IN

Sign up to write
Sign up now if you have flare of writing..
Login   |   Register
Follow Us
Indyaspeak @ Facebook Indyaspeak @ Twitter Indyaspeak @ Pinterest RSS



Play Free Quiz and Win Cash