Admin Note: I have updated the code. Chatserv and I have spent several hours testing this. Let me know if you find any holes in my present solution.

Without posting the details, there are a couple new SQL Injection exploits out there. I recommend the following code be placed at the beginning of modules/Reviews/index.php and modules/News/friend.php

$test = rawurldecode($_SERVER["QUERY_STRING"]);
if (strstr($test,'%3c')||strstr($test,'<')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
}

If you don't have a copy of my hackattempt.php file, download it! Alternatively you could redirect them to index.php but then you don't get an email advising you of the hack attempt.

For more on the exploits, click on Read More ...

• http://www.securityfocus.com/archive/1/353201/2004-02-07/2004-02-13/0
• http://www.securityfocus.com/archive/1/353188/2004-02-07/2004-02-13/0
• http://www.secunia.com/advisories/10830/