Sanitizing strings

[Asheeown]

Ok, so my site was hacked last night, WHOOPIEE.  He did it by SQL injections which I am pissed about because I am using mysql_escape_string on EVERY query that I import.

 

The development server I was testing this site on before I put it live doesn't tolerate any ' or other types of quotes used in strings and just reports the query back false.

 

The version of PHP on the live server is 4.3.11 and on my development server it's 5.2.4.  What new code should I use to prevent and further SQL injections?

[DarkWater]

mysql_real_escape_string().

[Asheeown]

Okay but it returns the mysql error of you have something wrong in your query, here is the query:

 

SELECT * FROM Users WHERE Username = \'\'\' AND Password = \'d41d8cd98f00b204e9800998ecf8427e\'

 

Thats with:

Username: '

Password: (none)

[DarkWater]

Only use mysql_real_escape_string(), not any other functions.  It shouldn't error you out.  And you should enclose all string values in '' in a MySQL query.

[redarrow]

post ur sql please cheers.......

[Asheeown]

$Query = "INSERT INTO Bots (UserId, Name, Ip, Port, Password) VALUES('".$_SESSION['UserId']."', '$Name', '$Ip', '$Port', '$Password')";
$Query = sanitize_sql_string($Query);
$Result = mysql_query($Query) or die(mysql_error());

 

It slashes ALL of the '