My site is vulnerable to this script..How do i patch it?

One guy tried to exploit it using this script

http://www.searchr.us/web-search.phtml?search=%22%3E%3Cscript%3Ea开发者_StackOverflowlert%28String.fromCharCode%2872%29+String.fromCharCode%28105%29%29;%3C/script%3E

How do i stop it ?

And he also said that it is vulnerable to XSS and LPI...Please help me stop it.

Thanking You,

You need to HTML-encode all user-entered data that you output, including the user's search string.

To be safe, HTML-encode all values that are not explicitly meant to be HTML code.

The quick solution is to:

<?php echo htmlspecialchars($blah); ?>

instead of

<?php echo $blah; ?>

The long solution is to read a book on web site security.

Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?

Something along the lines of "Your search of 'something' returned 0 results"?

You need to encode any user entered data before displaying it.