use $str = mysql_real_escape_string(strip_tags($data)); and then insert the $str to the databse like this you will avoid cross site scripting and SQL injection :) but here you are disabling HTML tags in the comment box if you want to enable some read in php.net about strip_tags fcn string * strip_tags* ( string $str [, string $allowable_tags ] ) I am here for further information On Wed, Jun 1, 2011 at 9:30 AM, eo <eo2683@xxxxxxxxx> wrote: > > > Hi guys, > I am using wordpress on my site, and twice in 14 months my site has been > hacked. Both times index.php gets changed in root folder, i am not sure but > i suppose it is done using comments. Can anyone tell how it is being done & > how to evade it? > > > -- Best Regards Ahmad Seder www.gates.ps 0597333313 0599864000 [Non-text portions of this message have been removed] ------------------------------------ Are you looking for a PHP job? Join the PHP Professionals directory Now! http://www.phpclasses.org/jobs/ Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-objects/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/php-objects/join (Yahoo! ID required) <*> To change settings via email: php-objects-digest@xxxxxxxxxxxxxxx php-objects-fullfeatured@xxxxxxxxxxxxxxx <*> To unsubscribe from this group, send an email to: php-objects-unsubscribe@xxxxxxxxxxxxxxx <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/