Weird PHP variables inserted into URL

[DeLL116]

Lately I've been seeing a lot of weird variables being passed through my URL's and being processed through the php on my site. Examples are below:

/valuebucket.besthomemadedogfoodrecipes.com/stores/storefront.php?VID=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Fecemi%2F

/stores/stores.php?LETTER=http%3A%2F%2Fwww.service-exposants.com%2Fstore%2Fiyi%2Fifiduw%2F

VID would normally be the vendor ID#
CID would normally be the category ID#

Does anyone know how these variables are being placed into the URL and what the effect might be? I'm not seeing anything weird going on in my database, but I'm a newb to AM and php so I don't really have a clue.

 

[wdmny]

Your script is vulnerable to an XSS attack, at least the second example is. Note that I'm not exposing this, you already did in your post. The data is being placed there by someone typing it into the URL. Visit the URL below to see what happens. Anyone could post anything on your site so I would suggest escaping the data passed to to that variable.

ValueBucket.com - Coupons, Discounts, Sale Items, Discount Codes, Brand Names!

 

[DeLL116]

wtf!

ummmm...I guess I should say....shit?!

Just did some reading on google pertaining to XXS attacks and it seems like I should protect my site against it, but I don't see how it would really hurt me unless my database is accessed.

Like I said, i'm new to php and obviously didn't forsee this happening. When I first developed the site, I did actually put random variables into the URL and noticed that they were displayed, but didn't care because it did not affect my database. Is there other shit I should be worried about, because if it's just someone who wants to put their URL on my page to be displayed, I'm not going to stay up all night tonight fixing the script.

By "escaping the data" do you mean only allowing variables I designate to be passed through the script?

Thanks