DIY-CMS blog mod SQL Injection defects and repair

SQL Injection:
BUG:
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = tags & tag = features & start = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & start = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = archive & month = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = archive & month = 8 & year = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = list & catid = 4 & start = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = archive & month = 8 & year = 2 & start = [sqli]
What is http://www.bkjia.com/diy-cms/mod. php? Mod = blog & modfile = viewpost & blogid = 26 & start = [sqli]
 
Why? :
The variables $ start, $ year, $ month are not filtered
In file:/modules/blog/tags. php, list. php, index. php,
Main_index.php, viewpost. php
 
$ Start = (! Isset ($ _ GET ['start'])? '0': $ _ GET ['start'];
 
In file:/modules/blog/archive. php
 
$ Start = (! Isset ($ _ GET ['start'])? '0': $ _ GET ['start'];
$ Month = (! Isset ($ _ GET ['month'])?
Error_msg ($ lang ['archive _ NO_MONTH_SPECIFIED ']): $ _ GET ['month'];
$ Year = (! Isset ($ _ GET ['Year'])?
Error_msg ($ lang ['archive _ NO_YEAR_SPECIFIED ']): $ _ GET ['Year'];
 
In file:/modules/blog/control/approve_comments.php,
Approve_posts.php, viewcat. php
 
$ Start = (! Isset ($ _ GET ['start'])? '0': $ _ GET ['start'];