McAfee Scanalert SQL injection

Hi. We have McAfee Scanalert on all our websites. We also have SPHIDER search on all our websites.

McAfee Scanalert has uncovered some SQP injection vulnerabilites via this search.php application.

Is there anything we can do to secure this - and not loose SEARCH facility ???

Thank in advance for any help

PS - to see a site try www.heartratemonitor.co.uk then SEARCH

Tris

There is in deed an injection vulnerability throught the VARS that are passed throught the search form. I had that happen to me last year on www.clickraider.com . I added "stripslashes" to change any insertions to DB and I also changed the VARS to a unique name that no one here knows. Before someone could just type certain things directly in the browser like www.mysite.com&search=soandso.com or a script in the search text box. Lots of code to change, I do not document much of the changes I make to my site like the ability to have google index my entire database which can be seen if you click on my sites logo, but the threat is there. I had porn ads injected to the lower part of my header and did not know it until I visited the site. I usually just visit the admin area.

[www.clickraider.com]