I am not sure why i can't reply to your PM, but...
are you using custom made scripts? or is it a system like this forum, using SMF?
if you are using an already made system, chances are, they already have this security feature on their scripts. along with others. SMF has the reputation to be one of the more secure systems, where php-nuke has quite a few flaws.
all you would need to do with that snippet, depending on how you have your site setup, is when processing the post data from your forms, before it is inserted into the database, is use the clean function... something like this as an example....
var $data = array();
function EvRegister($username, $password, $email, $ip){
$data['username'] = EvClean($_POST['usr_nme']);
$data['password'] = EvClean($_POST['password']);
$data['cpass'] = EvClean($_POST['cpass']);
$data['email'] = EvClean($_POST['email']);
$data['password'] = EvEncrypt($_POST['password']);
$data['cpass'] = EvEncrypt($_POST['cpass']);
$getuser = "SELECT username FROM users where username = '". $data['username'] ."'";
$getemail = "SELECT email FROM users where email = '". $data['$email'] ."'";
$checkuser = EvQuery($getuser) or die( mysql_error() );
$checkemail = EvQuery($getemail) or die (mysql_error() );
if( $data['password'] !== $data['cpass'] ){
die("The passwords you entered don't match!n");
}elseif( $data['username'] == NULL && $data['password'] == NULL & $data['email'] == NULL ){
die("Please enter data into the specified boxes!n");
}elseif( strlen($data['email']) < 5 ){
die("Please enter a valid email address");
}elseif( mysql_num_rows( $checkuser ) > 0 ){
die('The Username you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message
}elseif( mysql_num_rows( $checkemail ) > 0 ){
die('The Email you entered already exists! <a href="javascript:history.go(-1)">Go back</a>');//Return an error message
}else
{
$query = EvInsertUser($data);//my insert checks for an array and breaks it down to key => value
$ip = $_SERVER['REMOTE_ADDR'];
$result = EvQuery($query)or die( mysql_error() );//Send the query to the query page
if($result){
echo 'You have successfully registered!<a href="javascript:history.go(-2)">Go back</a>';//Return a success message
}else{
die(mysql_error());
}
}
}
what this does, is see how the data array is assigned to the post variables? and each post variable is cleaned via that function
to answer your question, yes you have to run this function on EVERY input.
without this, said hacker can insert something like this....
x';
INSERT INTO members ('email','passwd','login_id','full_name')
VALUES ('steve@unixwiz.net','hello','steve','Steve Friedl');--';
into any one of your input areas, and inject his own account onto your database. there are countless other things they can to do with injections like this. in your case though, the attacker is probably using an XSS (cross site scripting) attack, so that whatever they ran on your system, is alowing them to keep reinserting the malware even after the shell commands strip the malicious code out.
if you do manage to get this function onto your scripts, and the attacker is still inserting stuff, than i can almost guarantee that the server you are hosting on has been compromised.
Ask them if they've had any issues like this with other clients, or if it is just you.
might suggest changing your account, and passwords too... possible chance you used a weak password, and they have admin access to your account, to insert the code where ever, and whenever they like.
i could sit here and list of a TON of security measures you can take on your scripts, but unless the server is 100% secure (which none ever are). you will never be completly safe.
Nothing is ever 100% secure, there are always ways to get around any security measure. all you can do is take as many steps as you can to prevent.