SQL injection

2025-01-29 02:47:53 +01:00 · 2013-05-07 23:15:46 +03:00 · 2013-05-07 23:15:46 +03:00 · b0a54dd74e
commit b0a54dd74e
parent 3cb8274b88
1 changed files with 1 additions and 1 deletions
--- a/stat_avatar.php
+++ b/stat_avatar.php
@ -4,7 +4,7 @@ require("include/top.php");
 <table bgcolor="#000000" cellspacing="1" cellpadding="3" border="0">
 <?
 if ($_GET["avatar"]) {
-$sql = "SELECT avatar, id, nickname FROM users WHERE BINARY avatar = '".$_GET["avatar"]."'";
+$sql = "SELECT avatar, id, nickname FROM users WHERE BINARY avatar = '".mysql_real_escape_string($_GET["avatar"])."'";
 $r = mysql_query($sql);
 while ($o = mysql_fetch_object($r)) {
 ?>