** Workaround: all the non numeric potential keys are escaped; */ if (basename($_SERVER['SCRIPT_FILENAME']) != "error.php") { foreach ($_REQUEST as $k => $v) { if ($k == "id") { if (!ereg("^[[:digit:]]*\$", $v)) { $_REQUEST[$k] = mysql_escape_string($v); } } elseif (ereg("\\_id\$", $k)) { if (!ereg("^[[:digit:]]*\$", $v)) { $_REQUEST[$k] = aux::escape_string($v); // $_REQUEST[$k] = -1; } } elseif (ereg("^id\\_", $k)) { if (!ereg("^[[:digit:]]*\$", $v)) { $_REQUEST[$k] = aux::escape_string($v); // $_REQUEST[$k] = -1; } } elseif ($k == "username") { $_REQUEST['username'] = mysql_escape_string($v); } elseif ($k == "name") { $_REQUEST['name'] = mysql_escape_string($v); } elseif ($k == "surname") { $_REQUEST['surname'] = mysql_escape_string($v); } elseif ($k == "email") { $_REQUEST['email'] = mysql_escape_string($v); } } } /* Configuration Inclusion */ if (file_exists("include/config.inc.php")) {