SQL Injection question

[Joaogl]

Hello,

I'm trying to solve a problem on my module, its a sql injection problem but I don't know to solve it since its a text field...

Here its code:

protected function add_request_post() {
/* id
pilotid
schedule
type */

if($this->post->id == '') {
$this->set('message', 'Invalid Certificate specified');
$this->render('core_error.tpl');
return;
}

if($this->post->pilotid == '' || $this->post->schedule == '' || $this->post->type == '') {
$this->set('message', 'You must write your schedules');
$this->render('core_error.tpl');
return;
}

$data = array(
'id'=>$this->post->id,
'pilotid'=>$this->post->pilotid,
'type'=>$this->post->type,
'schedule'=>$this->post->schedule
);

AcademyData::addRequest($data);

if(DB::errno() != 0) {
if(DB::$errno == 1062) // Duplicate entry
$this->set('message', 'You have already submited a request.');
else $this->set('message', 'There was an error sending your request. Try again later.');

$this->render('core_error.tpl');
return false;
}

$this->set('message', 'Request submited with success.');
$this->render('core_success.tpl');
}

public static function addRequest($data) {
/* $data = array('id'=>$this->post->id,
'pilotid'=>$this->post->pilotid,
'type'=>$this->post->type,
'schedule'=>$this->post->schedule);*/

$sql = "INSERT INTO ".TABLE_PREFIX."requests (
`pilotid`, `schedule`, `type`, `cid`, `status`, `score`)
VALUES (
'{$data['pilotid']}', '{$data['schedule']}', '{$data['type']}', '{$data['id']}', '0', '3')";

echo $sql;

$res = DB::query($sql);

if(DB::errno() != 0)
return false;

return true;
} 

How could I fix it?

Thanks,

Joao Lourenco.

[Tom]

You should DB::escape(); each variable before putting it into an SQL query - especially if it's coming from user input.

[Joaogl]

that easy... thank you so much man!