11
           
            
                
     
    
    The patch to fix the specific SQL injection cited is pretty easy to make. Does someone have a copy of the "latest" MyAds module (whatever version that is)? If so I can tell you exactly what line number. Otherwise you can follow the instructions below.
Towards the bottom of the listing-p-f.php (or annonces-p-f.php depending on which version of MyAds you have) file you'll find the following code just before:
switch($op) {
You'll find:
 foreach ($_POST as $k => $v) { 
    ${$k} = $v; 
} 
 
$lid = isset( $_GET['lid'] ) ? $_GET['lid'] : '' ; 
 
if(!isset($_POST['op']) && isset($_GET['op']) ) { 
    $op = $_GET['op'] ; 
}  
Just delete these lines or comment it out with // at the beginning of each line) and replace it with:
 $lid = isset( $_GET['lid'] ) ? intval($_GET['lid']) : '' ; 
$op = isset($_POST['op']) ? $_POST['op'] : '' ; 
$op = isset($_GET['op']) ? $_GET['op'] : $op ; 
 
$yname = isset($_POST['yname'] ? $myts->addSlashes($_POST['yname']) : ''; 
$ymail = isset($_POST['ymail'] ? $myts->addSlashes($_POST['ymail']) : ''; 
$fname = isset($_POST['fname'] ? $myts->addSlashes($_POST['fname']) : ''; 
$fmail = isset($_POST['fmail'] ? $myts->addSlashes($_POST['fmail']) : '';  
Remember, place this BEFORE the switch($op) statement. By the way, the fix for the Job Listing module (jobs ver 1.9) is the same.