Blind injections? Need a little bit of clarification

[timmy0320]

Alright, I got this Acunetix scanner and I'm scanning everything but for some reason I can't get rid of these "blind" injections and they're all on one page... the process.php page.

 

I have a process.php page that everything is sent through and it has a class which at the beginning it checks...

 

<?php 
      if (isset($_POST['login'])) {
      // user submitted login
        $this->login();
      } elseif (isset($_POST['create'])) {
       // user submitted registration form
        $this->register();
?>

 

... and so on. When it calls to a function, such as login();

 

I didn't want to post ALL of my functions so I just posted the login() from process.php as an example.

<?php
   // process login
   // if errors found client is redirected to fix information
   // if no errors, user is logged in
   function login() {
      global $session, $functions;
      // match info with user attempt to login
      $retval = $session->login(mysql_real_escape_string($_POST['user']), mysql_real_escape_string($_POST['pass']));

      if($retval) {
        if ($session->accValid(mysql_real_escape_string($_POST['user']))) {
         // successful login
         header("Location: ".$session->referrer);
        } else {
         // success, but account isn't activated yet.
         // logs out (fix: was showing logged in as blank on header page)
         $session->logout();
         // acount is not acctivated yet.
         // set a session so the link works
         $_SESSION['inactive'] = inactive;
         header("Location: ".LINK_USER_NOT_ACTIVE."");
        }
      } else {
      // login failed.
         $_SESSION['value_array'] = $_POST;
         $_SESSION['error_array'] = $functions->getErrorArray();
         header("Location: ".$session->referrer);
      }
?>

 

I also do filtering through the "session.php" before it checks through the database.php page.

 

Piece of code that checks the username taken from $session->login

<?php
      $user = mysql_real_escape_string(htmlspecialchars(strtolower(str_replace(" ", "", $user))));
      if (empty($user)) {
            $functions->setError("user", "*");
          } elseif (strlen($user)< 6) {
            $functions->setError("user", "* Username must be at least 6 characters.");
          } elseif (strlen($user) > 14) {
            $functions->setError("user", "* Username is only allowed to be 14 characters. Invalid submission.");
          } elseif (!preg_match('|^[a-z0-9.]+$|i', $subuser)){
            $functions->setError("user", "* Username can only contain letters (<i>a-z</i>), numbers (<i>0-9</i>) and/or periods (<i>.</i>)");
          }
?>

 

 

I had all my mysql_real_escape_string() posted in my database.php file which controlled all the database grabbing, etc. and got the blind SQL injection. So I moved it to my process page and it is telling me the same. I keep reading that the function I'm using is the "best way" to stop injections, but is there more to it with blind injections? On the process.php page when I try to escape strings from the if (isset($_POST['login'])) I get error's saying

 

Fatal error: Can't use function return value in write context in 

 

Also, it's not saying that *all* of the POST values are vulnerable. Which is why I'm not completely understanding it. *all* of my functions use the same method (yes, i triple checked) of checking everything. It's even saying my "submit" POST is vulnerable, which is my Submit button. heh.

 

Maybe I'm just missing something on SQL Injections but could someone clear this up a little for me?