On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
cannot seem to find one. The command above is showing all usernames and
passwords (in hashes) and I am not comfortable with that at all! Is
there anyone out there that may be able to help or may be able to point
me in the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack. You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.
Update to our phone conversation looks like id value is NOT a number (ss
looks like 55 in my web font, sorry).
In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.
($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept
0-9s as input. Hope this helps.
How do you have your database server setup? How are the commands being
passed to the database?
------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
