54
I'll just make a quick comment here as there is tons of info on the net about it, and another thread recently touched on some of this:
https://xoops.org/modules/newbb/viewtopic.php?topic_id=14580&forum=4
In general, the vulnerabilities posted about web scripts include problems like SQL injection vulnerabilities, or 'cross-site scripting' (XSS) vulnerabilities.
The simple solution to SQL injection is make sure you NEVER use $HTTP_GET_VARS, $HTTP_POST_VARS, $HTTP_COOKIE_VARS in your queries. These variables are classified as UNTRUSTED data because they are coming from an outside source. ALWAYS wrap untrusted data inside $xoopsDB->quoteString() to make it safe to use inside queries.
The simple solution to XSS vulnerabilities is to always pass untrusted data through the function htmlspecialchars before displaying it on the page. This will prevent any malicous HTML or javascript from affecting other users.
I'm sure I'm oversimplifying a lot and I am by no means an expert in this area, but these two steps account for the vast majority of problems. You might want to read up a little on these kinds of attacks in general... i.e. how they are done, why they are dangerous, and how to prevent them.
Hope this helps