ASPROX SQL Injection Attacks

[Matty]

If you're using something like MySQLi

Code:

if (get_magic_quotes_gpc())
  {
  $Username = stripslashes($Username );
  $Password = stripslashes($Password);
  }
$Username = mysqli_real_escape_string($dbi, $Username);
$PasswordHash = md5($Password);

$SQL = "SELECT * FROM `Users` WHERE `Username` = '$Username' LIMIT 1";

Something like this usually works for me...

First bit removes any "automatic" security features.
Second bit adds new security bits.

MD5 will removed any SQL injection code through it's encoding.
If it's just a number, put $i = (int)$_GET['FormNumber'];
This will make sure it can only have a number.
asd = 0
123asd = 123
asd123 = 0
like that, then just test that dad, but... injection safe...

[jerryw]

I don't understand much of this thread.
I would like to know how to protect the sites.

Every single one of my index and default files was
attacked since yesterday.

In your messages, I noticed mention of forms and
MySQL attacks. I don't know anything about
MySQL

But, I'm wondering if the attack coincided with my
installing PHP Lists from Simple Scripts. I installed
this yesterday, and re-configured the pages. Could
one of the forms be the opening for a badware attack?

If so, how can I protect the sites?

Thanks