ILMV Posted October 19, 2009 Share Posted October 19, 2009 Hello All, I am in the process of recoding a large proportion of an e-commerce site, one of the problems is that there are a few security issues floating around. I have a search box which was originally unprotected against XSS, I was easily able to execute JavaScript and force the system to echo out HTML *holds head in hands*. I am using this code: $term=preg_replace('/[^a-zA-Z0-9\s]/', "", $term); ...to remove any non-alphanumeric characters (excluding spaces), I am thinking because this will strip out any characters like ', ", <, >, /, = etc, it should make my script safe again. Can you confirm this, or is there something that I am missing? Many thanks, Ben Quote Link to comment Share on other sites More sharing options...
cags Posted October 19, 2009 Share Posted October 19, 2009 This is for a search box? Assumably all you do with the contents of the search box is echo it out on screen saying... You searched for... That being the case I don't understand how XSS attacks would be an issue, the user can write whatever they like in the box, it's only going to effect themselves not other users, or did I miss the point? The method you have would perhaps work, though it would prevent searching for anything other than an alphanumeric character. Why not just use htmlentities on the output. Quote Link to comment Share on other sites More sharing options...
ILMV Posted October 19, 2009 Author Share Posted October 19, 2009 Thanks for your reply, you are correct, we do have a "You have searched for [...]", these other points may make the scenario a bit clearer: 1) I do not want to be able to search by anything other than an alphanumeric string. 2) I want the search to be book-markable (sp?), so if I search for "joe bloggs" it will generate a url like this "/search/joe-bloggs", therefore I don't want any of the ASCII character codes at all (that would be spat out by htmlentities). I just figured that it would solve both of my problems with one stone as it were. Cheers, Ben Quote Link to comment Share on other sites More sharing options...
cags Posted October 19, 2009 Share Posted October 19, 2009 Ahh well in that case removing the characters might be your best option. I can certainly see why you may wish to do this with regards to URL neatening but as I previously stated XSS would be a bit of a non-issue (unless somebody was stupid enough to click on a URL link that had script in it I suppose). One thing I must say though is, simply ripping characters out of a string can be VERY annoying. When I had my last phone I tried to sign up to t-mobiles site using something_something as a username, they must have employed a method similar to what your describing because I eventually managed to work out that it had changed my username to somethingsomething without even bothering to tell me. Obviously a search string is not quite as serious as a username field, but it could still potentially be quite annoying and as such is probably worth baring in mind. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.