View Single Post
  #7  
Old 22nd April 2011, 09:35
createch createch is offline
Senior Member
 
Join Date: Aug 2007
Posts: 118
Thanks: 24
Thanked 16 Times in 13 Posts
Default

From your sever admin message, you should fix your SQL command in the following php file:

/modules/noticias/article.php

the usual solution is to add "addslashes" to your command.

For example, it following command is vulnerable to SQL injection:

$command ="select * from users where username='" . $_REQUEST["username"] . "' and password='" . $_REQUEST["password"] . "'";

but the following one will be ok:

$command ="select * from users where username='" . addslashes($_REQUEST["username"]) . "' and password='" . addslashes($_REQUEST["password"]) . "'";
Reply With Quote