** Workaround: all the non numeric potential keys are escaped;
*/
if (basename($_SERVER['SCRIPT_FILENAME']) != "error.php") {
foreach ($_REQUEST as $k => $v) {
if ($k == "id") {
if (!ereg("^[[:digit:]]*\$", $v)) {
$_REQUEST[$k] = mysql_escape_string($v);
}
} elseif (ereg("\\_id\$", $k)) {
if (!ereg("^[[:digit:]]*\$", $v)) {
$_REQUEST[$k] = aux::escape_string($v);
// $_REQUEST[$k] = -1;
}
} elseif (ereg("^id\\_", $k)) {
if (!ereg("^[[:digit:]]*\$", $v)) {
$_REQUEST[$k] = aux::escape_string($v);
// $_REQUEST[$k] = -1;
}
} elseif ($k == "username") {
$_REQUEST['username'] = mysql_escape_string($v);
} elseif ($k == "name") {
$_REQUEST['name'] = mysql_escape_string($v);
} elseif ($k == "surname") {
$_REQUEST['surname'] = mysql_escape_string($v);
} elseif ($k == "email") {
$_REQUEST['email'] = mysql_escape_string($v);
}
}
}
/* Configuration Inclusion */
if (file_exists("include/config.inc.php")) {
