in torrents.php
change this:
// getting order
if (isset($_GET["order"]))
$order=htmlspecialchars(mysql_escape_string($_GET["order"]));
else
$order="data";
if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";
to this:
// getting order
/******************************************************************************
if (isset($_GET["order"]))
$order=htmlspecialchars(mysql_escape_string($_GET["order"]));
else
$order="data";
if (isset($_GET["by"]))
$by=htmlspecialchars(mysql_escape_string($_GET["by"]));
else
$by="DESC";
******************************************************************************/
// Fixed possible SQL injection (thanks to jeremie78)
$accepted_orders = array('speed', 'dwned', 'finished', 'leechers','seeds', 'size', 'data', 'filename', 'cname');
$order = (isset($_GET['order']) && in_array($_GET['order'],$accepted_orders)) ? $_GET['order'] : 'data';
$by = (isset($_GET["by"]) && $_GET["by"]=='ASC') ? 'ASC' : 'DESC';
//