#4 possible sql injection vulnerability

[Anonymous]

line 29 of hit.php reads:

phpcounter($_GET["name"]);

function phpcounter() in inc.php reads:

function phpcounter($name)
{
global $Referer, $LocalPage;

$rs = mysql_query("select * from phpcounters where name='$name'");
...

replace line 29 of hit.php with:

phpcounter(preg_replace('/[^\w]+/','',$_GET["name"])); // filter input

to filter out any characters besides a-zA-Z0-9_ (word characters "\w")
you can adjust the regular expression to your liking, but always deny ' ` " characters