[Test33]

Alright, I've made a post on another thread with this way.

By turning ON magic quotes this should stop most SQL injections. I haven't done a lot of testing, but I have not be able to inject anything into my MySQL database.

Here is how you would do an SQL injection.

Code:

"a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%"

in the place of username/password etc fields. Now, with magic quotes off, this is the full sql query

Code:

SELECT * FROM users WHERE name = 'a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '%';

This would stop the sql code from being executed.

Now, this is what it would look like with magic quotes on

Code:

SELECT * FROM users WHERE name = 'a\'; DROP TABLE users; SELECT * FROM data WHERE name LIKE \'%';

Remember, that this will not stop all sql injections, but it should stop most of them.

Since, I do not have a reputation here, at least I don't think I do. I'll give you the tutorial on how to do it, right here, free. Then you can contact me if you still need help.

Since most people today just run shared hosting, you do not have access to your php.ini, but I also found out, that it is possible to do it from your .htaccess file, however, it doesn't always work. So instead all you need to use is the "addslashes" function.

1. Open the file that you want to add the function to.
2. Find the variable that you want to add slashs to. I'll call it $a;
3. Below it, add $a = addslashes($a);

Make sure your names for the variables are correct. You should have basic knowledge of PHP before attempting this.

If you have access to your php.ini just do this:

1. Open php.ini
2. Find magic_quotes_gpc off
3. change off to on

This will affect ALL your scripts, and might not be good, but it's the easy way out.


Now, I haven't looked too much at GC HYIP script, since the code is messy =P. But I'll try to add a function to make it easier for all of you. Or unless, naversay wants to, or if he already has.

I want other people to list their ways of 'patching' this problem up. I'm sure their are better ways then using addslashes function. So post it. Also, tell me if this will work or wont work. I've only tested it on my projects, 'cause I can read the code =)