Possible Duplicate:
What are the best practices for avoid xss attacks in a PHP site
Hi, I wonder how can hackers inject this javascript code to my homepage.php
<script type="text/javascript">document.write('\u003c\u0069\u006d\u0067\u0020\u0073\u0072\u0063\u003d\u0022\u0068\u0074\u0074\u0070\u003a\u002f\u002f\u0061\.........')</script>
How can I block this?
Unless you have any forms that actually post content to your site, and this ends up in your php-files, I would say that they've uploaded it through ftp, either by a vulnerability in your ftp service or simply by bruteforce.
Check your ftp transfer logs and see if the file in question has been uploaded by an unknown IP.
Patch your ftp daemon and hope for the best, but I suggest you either remove the ftp access, or IP-restrict it.
The code you've shown us is merely the result of a hack; it tells us very little about the cause of it.
There are a large number of ways that a hacker can insert code like this into your site. Some of them may be via Javascript or an input form on your site, but it could equally have been a hack on the server software itself, via FTP or another service on the server.
You need to consider the context of the injected code, rather than the content. Has it been added directly to your PHP program files? Or have your pages been modified to pull in this code from elsewhere? Or has this Javascript been put somewhere in your database? What PHP software are you using (ie are you running a well known package like Drupal or ZenCart, etc), and have you kept them updated to the latest versions? Answering these questions will give you some help in working out the route that the hacker took to get into your site.
But in the past, when I had similar experiences, I've found that the quickest way to find out about the hack is to past parts of the hacked code into Google. If the hack is one that's happened elsewhere before, the results will be a mix between other hacked sites and support forums where people have previously discussed their experiences.
I've found that the support forums thrown up be Google almost always either have a direct answer, or at the very least you'll be able to pick up common threads between them, such as everyone who's been hacked this way was running a particular PHP-based package, or something like that.
Without knowing more about your setup, I can't really answer any more than that, but I hope that's been of some help.
Do not rely on user input through JavaScript, this is client side. Try to use PHP.
Read more about JavaScript Injection here.
