Hi Ray,
Thank you. I will fix the code as you suggested.
For the larger issues, my host provides the daily scan to detect any suspicious action through FTP, so not worried so much for the time being.
But certainly I will learn more about XSS :)
Rika