Today i checked my script with acunetix and found a "Blind SQL injection" in one of my files.
Accunetix Message:
Attack details
HTTP Header input x-forwarded-for was set to 1' and sleep(2)='
How to fix this vulnerability:
Your script should filter metacharacters from user input. Check detailed information for more information about fixing this vulnerability.
I have escaped all input with mysql_real_escape_string() func, but error existing yet.
I tried to filter this header in my file with this code:
if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
mysql_real_escape_string(addslashes(($_SERVER['HTTP_X_FORWARDED_FOR'])));
But doesn't work. please help!
It's better to use a PDO prepared statement to prevent SQL injection, than to try to create your own "scripts" and just escaping characters is not enough to prevent SQL injections
Have a look here for PDO prepared statement : http://php.net/manual/en/pdo.prepared-statements.php