Perhaps using something similar to this:
It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string.Code:
function sql_query($sql)
{
global $mysqli;
$sql = $mysqli->real_escape_string($sql);
return $mysqli->query($sql);
}
Will solve the problem, as it escapes the string before continuing with the query.{
global $mysqli;
$sql = $mysqli->real_escape_string($sql);
return $mysqli->query($sql);
}
If you always belive in realescapestring, you have in false safety.
My goal is to check/verify the input before the sql code, and do not execute sql if it is not good (eg verifyaddress).
I have only two eyes, so if you find place where i dont check something, feel free to msg me
The hacked faucets used a modified versions from minifaucet, so we dont know the bug/sqlinject/whatever is in the original code or in the modified code. So we are just groping in the dark
Did someone checked that modified code? At all, do someone have the modified code?
Elbandi