I have narrowed the problem down to the code as I have been referenced to a
million times and I thank you all a million times over on helping me out thus
far. Here is where it gets down to the hard part for me (PHP code)..
The error is within:
elseif ($pageID == "ss" && $item != "mostCurrent") {
$newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline,
successId, title, story, picpath, staffID FROM success WHERE successId= $item";
}
So I have done some research and found that it needs to be structured somewhat
as such:
elseif ($pageID == "ss" && $item != "mostCurrent") {
$newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId='%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}
I cannot seem to get the problem narrowed down with this though. As you see I
am trying to impliment the "mysql_real_escape_string" but I am unfamiliar with
how to integrate it into code that I did not write. Is there anyone out there
that may have some insight to this problem?
-----Original Message-----
From: Wm Mussatto [mailto:mussa...@csz.com]
Sent: Wednesday, November 18, 2009 11:55 AM
To: mysql@lists.mysql.com
Subject: Re: MySQL being hacked with commands through URL
On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
> rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one. The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all! Is there
> anyone out there that may be able to help or may be able to point me in
> the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack. You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.
In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.
($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept
0-9s as input. Hope this helps.
How do you have your database server setup? How are the commands being
passed to the database?
SOURCE IP FROM HEADER:
************************************************
*Please block this account's access to the *
*internet until its cleaned up. We are basing *
*this on an analysis of the header NOT the FROM*
*address. *
************************************************
------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
