Hi, i need a little help with securing php gets & posts but am quite new to php only know a few basics so could some one help me out please becasue i been injected on one of my sites thanks would really appreciate if yuo guys could help me out on this one.
this was recently discussed, so have a dig through a few pages and you should find some good info. here http://forums.digitalpoint.com/showthread.php?t=665540
here is a simpler way to get rid from mysql injection.. pack your post and get varaibles with mysql_escape_string() in your sql queries an example is: mysql_escape_string($_REQUEST['username'])
so is it like ...... $id = $_GET['ID']; $q=$db->query("SELECT * FROM itemmarket im LEFT JOIN items i ON i.itmid=im.imITEM WHERE imID=$id",$c); to.... $id = mysql_real_escape_string($_GET['ID']) $q=$db->query("SELECT * FROM itemmarket im LEFT JOIN items i ON i.itmid=im.imITEM WHERE imID=$id",$c);
If ID is a numeric value, I'd suggest using intval($_GET['ID']), that's even more save. www.php.net/intval Otherwise, yes, that'd be right.