This might be useful:
[en.wikipedia.org...]

dc

Is there any good tutorial on how i can protect my php scripts from XSS attacks?

It's all about escaping and properly filtering input

get "essential PHP Security" that little book is in our library PHP book list

<edit>
this means Cross site scripting
but read also about
cross site forgeries
</edit>

Did you check out some of the links at the base of the wiki page?

dc

hi...after a lotta reading and head scratching, i just want to ask that in my site,i m filtering almost every input like :

if (!preg_match("/^([a-zA-Z0-9]+)$/", $user)) {
$notice = "<div id=\"failure\">Only alphabets and numbers allowed for usernames.</div>";

so, is it vulnerable to XSS attacks even if m filtering the data and allowing the insertion of trusted data?

It seems to me that two concepts are being mixed in this thread.

Cross Site Scripting (XSS): this involves the bad guy injecting HTML and JavaScript into a page through a form, which enables him to read cookies or make fake pages. Can easily be prevented by using

htmlspecialchars()

when writing user input to HTML.

SQL injection: query a database at will by forgering the query string. Can easily be prevented by proper escaping of user input (

mysql_real_escape_string()

).