Hello,
I have a video game site - mostly vBulletin which is fine but there are a few extra bits to the site that I have done myself.
I'm pretty new to PHP so my code isn't great.
Anyway, I wanted to test my code for SQL Injection but I looked on Google and most of the tools seemed to come from hacker sites etc which I'm not downloading.
I eventually found an addon for Firefox called SQL Inject Me and ran that. It said everything was alright but when I checked my MySQL tables they were full of junk code it had inserted.
One of my pages doesn't even have any visible fields. It's just a page with a voting submit button and some hidden fields so how does it inject the code into the tables?
The insert page code is:
$db = mysql_connect("localhost", "username", "password");
mysql_select_db("thedatabase",$db);
$ipaddress = mysql_real_escape_string($_POST['ipaddress']);
$theid = mysql_real_escape_string($_POST['theid']);
$gamert = mysql_real_escape_string($_POST['gamert']);
$serveron = mysql_real_escape_string($_POST['serveron']);
$check= mysql_query("select * from voting2 where ipaddress='$ipaddress'");
$ipname = mysql_fetch_assoc($check);
if($ipname['ipaddress'] == $ipaddress) {
echo 'It appears you have already voted. Click <a href="vote.php">here</a> to return to the votes.';
} else {
mysql_query ("INSERT INTO voting2 (theid,ipaddress,gamert,serveron2)
VALUES
('$theid','$ipaddress','$gamert','$serveron')");
echo 'Your vote has been added. Click <a href="vote.php">here</a> to view the updated totals.';
}
How can I make it safer against SQL injection?
Thanks
