there is no reason i know for such a problem
i tested with custom usergroups and it seems to be working fine...

Problem solved!Thanks

anytime friend :)

<font color="DarkRed">WARNING</font>
Hi, this script is currently NOT safe. A bot searched a dozen times for a malicious phrase and got a javascript redirect to load when the top searches were displayed. Luckily it was just a redirect that can easily be removed. I would disable search logging or fix the software ASAP less someone with a lot more evil intentions starts poking around.

Hello
many thanx for ur interest, but I dont know how you consider this to be Not safe! as tags are removed on listing queries on forumhome,
notice this code snippet, taken from the product:
notcie the function strip_tags (read more about it at php.net/strip_tags)
I see that this is enough to trim any malicious codes, as javascript tags are removed b4 listed on page

to unserstand what im saying please try to search for of course the alert will not appear, if it appears so almost u modified the Mod

thanx for ur interest again, and looking forward to hear from you :)

Regards
Mahmoud

It is unsafe, I got hacked, and this link http://www.aktifmadde.com/hacked.html replaced my forumhome. I searched my tables, and found it in the coder_search table. See the attached images.

I read that post, but I don't get what you are saying... I did get hacked through this product... are you saying it's something I did wrong? :)

ok please put the code of ur plugin "forumhome_complete" here

It was definitely in the search results code, unmodified, as I downloaded it two weeks ago. As soon as I deleted that one entry, the redirect stopped.

I wish I saved a snapshot of the code before I deleted it. It wasn't simply a Javascript tag that they posted. The link that displayed actually looked something like this: '''''""">>>>>>''>>. Whatever complicated string they fed in, it survived the code stripping process.

I don't believe that strip_tags() on its own can sufficiently clean the input to stop all attacks. Everything I'm reading now suggests that you should run htmlspecialchars() afterwards. There have been a number of vulnerabilities where strip_tags() misses an embedded tag OR the browser will auto-correct a malformed tag. For example, last year there was a bug where strip_tags() would ignore <0script> but Internet Explorer would filter out the zero for some reason. That's not happened in this case, but it may have been something similar.