hi i'm a newbie with regards php so would welcome any advice i've got a few sites that keep getting hacked via sql injection i believe, and they are using old scripts which use register_globals which i believe is where my problem is. i've made some modifications from what i've found out so far and i'm sanitizing the inputs with this function: function sanitize($input){ if(is_array($input)){ foreach($input as $k=>$i){ $output[$k]=sanitize($i); } } else{ if(get_magic_quotes_gpc()){ $input=stripslashes($input); } $output=mysql_real_escape_string($input); } return $output; } Code (markup): i have register globals turned off in php. but they are still being hacked. so i believe i need to find an alternative to using the code below: $types_to_register = array('GET','POST','SERVER','SESSION'); foreach ($types_to_register as $global_type) { $arr = @${'HTTP_'.$global_type.'_VARS'}; if (@count($arr) > 0) extract($arr, EXTR_OVERWRITE); else { $arr = @${'_'.$global_type}; if (@count($arr) > 0) extract($arr, EXTR_OVERWRITE); } } Code (markup): could anyone kindly point me in the right direction to find an alternative to using the above code? without me having to completly re-write the scripts, i would ideally like to just replace the code above if at all possible. any help greatly appreciated. thanks in advance roland
Create and htacces file with: php_flag register globals off Code (markup): Or change it in php.ini. Peace,
thanks for your reply. i actually had register globals off already. however i have found a workaround now. thanks again