omidbrb

Definitely. That's why PHP-IDS exists.

That's exactly what I'm asking. I wrote this piece of code from what I learned about XSS attacks. I don't know what I'm missing.

Thanks. Just wanted to make sure I've patched all the doors!

Hello Everyone, I'm facing a website which is quite badly written, with register_globals turned on and I don't have the time to go through the code and secure the website. Do you think including the following code (that works) above every page in the website will secure the website from cross-site scripting attacks? It's actually scanning all _GET and _SET variables that PHP has turned into variables: foreach(array_keys($_GET) as $kk) { $$kk = htmlspecialchars($$kk); $$kk = str_replace("shell_exec", "little_bunny", $$kk); $$kk = str_replace("exec", "little_bunny", $$kk); $$kk = str_replace("javascript", "evil_bunny", $$kk); } foreach(array_keys($_POST) as $kk) { $$kk = htmlspecialchars($$kk); $$kk = str_replace("shell_exec", "little_bunny", $$kk); $$kk = str_replace("exec", "little_bunny", $$kk); $$kk = str_replace("javascript", "evil_bunny", $$kk); } Best, Omid