Well, if you are using mysql, you will want to use mysql_real_escape_string [us3.php.net] to escape potentially harmful characters in the query.

thanks... i will try it now.. :)

Also if you want to disable any html, then you can use
$text = htmlspecialchars [php.net]($text, ENT_QUOTES);

the eelix solution should disable most attacks on mysql server.

Just remember never to believe any data sent by $_GET, $_POST, $_COOKIE nor $_SERVER as they may be modified by user.

Michal

Hi!
How can $_SERVER be modified by the user? Or what array keys can be?

As I know all keys may be modified.
I found an example of XSS (Cross site scripting), but only in Polish

For sure $_SERVER [de3.php.net]['PHP_SELF'] and HTTP_REFERER may be modified. I don't know if any other, but surely you cannot believe it and filter it.

The example script of attacking one of the auction servers in Poland was:
[ssl.host.pl...]
function()%7Ba=document.getElementsByTagName(String.fromCharCode(105,110,
112,117,116));for(b=0;b%3Ca.length;b++)alert(a%5Bb%5D.value);%7D%3C/script%3E
?page=settings&type=set_my

Now the bug has been fixed, so no worries.
The problem was, that in a link there were no quotes:
<a href=http://domain.com>:
$url = filter_quotes($_SERVER['PHP_SELF']);
echo "<a href=$url>Click</a>";

if there was
echo "<a href=\"$url\">Click</a>";

there would be no way to XSS

Hope this cleares things for you
Regards
Michal