i'm getting a search parameter via $_GET and filtering the input data to prevent cross site scripting using the below code:

$search = array ("'<script[^>]*?>.*?</script>'si", // Strip out javascript
"'%0'[^>]*?>.*?</script>'si", // Strip out HTML tags
"'([rn])[s]+'", // Strip out white space
"'&(quot|#34);'i", // Replace HTML entities
"'&#(d+);'e"); // evaluate as php

$replace = array ("",
" ",

$text = preg_replace($search, $replace, $_GET);

But on running acunetix web vulnerability scanner,there still exists some loop holes.I'm using php4 therefore i can't use the inbuild filter functions.Is there another way round to go about input data filteration.

Hmmm... you could try to control it as the client side itself , through javascript.

This article has been dead for over six months. Start a new discussion instead.