I have some forms that I need to make more secure. I'v found that if you put the below code into one of the form fields, it executes the script when the page loads again displaying this in the form field. How can I not allow this type of thing?

Javascript code that got executed;

';alert('XSS')//";alert('XSS')//</SCRIPT>!--<SCRIPT>alert('XSS')</SCRIPT>=%26{}

Thanks

how is the form processed?

You could use htmlentities() (http://www.php.net/htmlentities) when you output the data so that the html tags are not output as such.

Ok, I got htmlentities to work, thanks. Now I have another issue. If I enter something like the below code in a city search box on a form, it returns me a list of all cities that begin with N or s. How can I stop this?

N%' or Insrp_prop_cty Like 's%

Thanks again!

Assume the name of the form field with the search value is called "search":

$search = $_POST['search'];
if(ini_get("magic_quotes_gpc"))
{
$search = stripslashes($search);
}
$search = mysql_real_escape_string($search);
# now $search is ready for use in a query.

We are not using mysql at all. We call our Oracle database with straight SQL commands. What is this: if(ini_get("magic_quotes_gpc"))??

Replace mysql_real_escape_string with addslashes() for non-mysql use.

The ini_get() expression is checking to see if "magic quotes" is turned on, which escapes all quotes from the form input. I was doing that to make sure the mysql_real_escape_string() (or addslashes) did not "double escape" quotes in the input.