On Tue, 20 Dec 2005, SecurityReason - sp3x wrote: > Hi Paul > Do you have any idea to do fix or update filter of phpnuke against XSS that discovered my friend. > We were working with chaserv from nukefixes.com on this fix... > But as you wrote on bugtraq the Fix is not very good... > > Any idea for good fix ?? > > BTW : http://castlecops.com is working with phpnuke team ?? > just asking :) Hi'ya, as per my previous post you can use htmlspecialchars or htmlentities. So in this case take the query and run it through htmlspecialchars: $query = htmlspecialchars($query); ... _before_ you do anything with it like displaying the query back to the user. -- Paul Laudanski, Microsoft MVP Windows-Security [cal] http://events.castlecops.com [de] http://de.castlecops.com [en] http://castlecops.com [wiki] http://wiki.castlecops.com [family] http://cuddlesnkisses.com
