$ipcheck = mysql_query("SELECT ip FROM accounts WHERE lastIP = '$ip' and lastvote = '$today'"); if ( mysql_num_rows( $ipcheck ) == '0' ) {$insert = "UPDATE accounts SET points=$points WHERE id = $id";$ip = "UPDATE accounts SET lastIP = '$ip' WHERE id = $id";$data = "UPDATE accounts SET lastvote = '$today' WHERE id = $id";mysql_query($insert);mysql_query($ip);mysql_query($data);} else {echo "error you have voted today";}
Or something like this....i don't fully understand your script since it's in spanish...
This system is full of sql injection possibilities
I'd suggest you to use mysql_real_string_escape or something that uses prepared statements like PDO.
I am using PDO and adodb i like adodb because it works with all known database sources and its easy to use and safe against sql injections also noob friendly
Try to use english for variable naming and stuff like that.
Also i would not modify login server's tables but create my own.
UnAfraid wrote:This system is full of sql injection possibilities
I'd suggest you to use mysql_real_string_escape or something that uses prepared statements like PDO.
I am using PDO and adodb i like adodb because it works with all known database sources and its easy to use and safe against sql injections also noob friendly
Try to use english for variable naming and stuff like that.
Also i would not modify login server's tables but create my own.
The code is not mine, just update it to make it work.
UnAfraid wrote:This system is full of sql injection possibilities
I'd suggest you to use mysql_real_string_escape or something that uses prepared statements like PDO.
I am using PDO and adodb i like adodb because it works with all known database sources and its easy to use and safe against sql injections also noob friendly
Try to use english for variable naming and stuff like that.
Also i would not modify login server's tables but create my own.
Just don't say anything, how are we going to access all server out there if they stop using code like that ?
Just don't use any search fields on your websites and you're 90% safe
No inputs > No injections.
Use .htaccess file.
Isolate your javascripts and your mysql constants from config.php
regenx wrote:Just don't use any search fields on your websites and you're 90% safe
No inputs > No injections.
Use .htaccess file.
Isolate your javascripts and your mysql constants from config.php
Ups, i up images ^^
Yes, is old code... it's not mine. In the future..