Userlist.php help

[chaoswar4u]

Hi. I require alittle help on how to secure userlist.php.

 

The following -

 

$st=($_GET['st']) ? $_GET['st'] : 0;

$by=($_GET['by']) ? $_GET['by'] : 'userid';

$ord=($_GET['ord']) ? $_GET['ord'] : 'asc';

 

ultimatly can be injected to effect the following query -

 

$q=$db->query("SELECT u.*,g.* FROM users u LEFT JOIN gangs g ON u.gang=g.gangID ORDER BY $by $ord LIMIT $st,100");

 

Can anyone provide a clear method on how to secure this setup without effecting the sort options on userlist.php in mccodes v2.

 

Many thx in advance for any help.

[Redex]

Well hey this is likeley to be really wrong, but i attempted fixing Tcmakers problem and it worked so i will attempt this one as well. It appears to me as a string ( then again i may be wrong )

so basically you would do something like $_GET['st']= mysql_real_escape_string($_GET['st']); adding that above it or something like that.

[Danny696]

abs(@intval($_GET['st']));