View Single Post
  #1  
Old 5th November 2018, 05:53
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default recover.php SQL injection
PHP Code:
mysql_query("UPDATE users SET secret=" sqlesc($sec) . ", editsecret='', passhash=" sqlesc($newpasshash) . " WHERE id=$id AND editsecret=" sqlesc($arr["editsecret"])); 

You need to add ".sqlesc($id)." To stop SQL injection
Reply With Quote