If it's an SQL injection problem, then it's probably these lines in EM2008.php:
Code:
$sql = "INSERT INTO " . TABLE_PREFIX . "rth_em08_bets (user_id,em_game_number,bet_result,bet_home,bet_visitor)
VALUES (".$vbulletin->userinfo['userid'].",".$game.",".$result['bet_result'].",".$result['home'].",".$result['visitor'].")";
... where none of those variables being inserted have been cleaned properly.
At the very least, I'd do ...
Code:
$game = $db->escape_string($game);
$result['bet_result'] = $db->escape_string($result['bet_result']);
$result['home'] = $db->escape_string($result['home']);
$result['visitor'] = $db->escape_string($result['visitor']);
... before that query.
-- hugh
01-30-2008, 03:34 AM
Hybrid Mode
