Hello Everyone,

I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.

http://mysite.com/processget.phtml?search=<a href="http://google.com">Hacked</a>

I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.

For ex.The user should only be able to enter

http://mysite.com/processget.phtml?search=A123123+*$

So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.

just check what is being grabbed before you use it and addslashes.....If you want your script to just accept numbers then:

if(is_numeric($_GET)){
everythings fine
}else{
error
}