Filter URL Query Strings For SQL Injections - PHP

I've been given a site to fix that was recently hacked using SQL injection. From what I can gather the Havij automated SQL injector was used to insert code into the query string parameters of the url.

The site is a custom 开发者_JS百科CMS build and a bit dated. I don't think a full rebuild is likely.

What's the best way to prevent this from occurring again? I'm a PHP developer, but usually just do validations on forms, or use systems that have this functionality already built in - wordpress, codeigniter, drupal etc.

Any ideas or thoughts are appreciated.

Thanks

There is only one simple rule: every variable (doesn't matter where it came from - from user or it is something already gotten from database) that is being put into the sql query should be sanitized with mysql_real_escape_string() before.

Or you could use prepared queries (prepared statements/placeholders), doesn't matter.

You may not be able to change all of the code, but maybe you can change the database code. If so try using PDO and prepared statements. I recommend pdo because you didn't specify the database type. If you are using mysql, I think mysqli also provides prepared statements.

$url = filter_var($url, FILTER_SANITIZE_URL);