I have tried that many times over and have found no way to get it to work, keep getting unexpected T_Variable and I cannot find out whats wrong with what you sent.
-----Original Message----- From: Michael Dykman [mailto:mdyk...@gmail.com] Sent: Wednesday, November 18, 2009 3:49 PM To: James Coffman Cc: mysql@lists.mysql.com Subject: Re: MySQL being hacked with commands through URL The bits in your date_format call are confusing your sprintf call "date_format(updated, '%W, %M %D, %Y %r' )" elseif ($pageID == "ss" && $item != "mostCurrent") { $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s'", mysql_real_escape_string($item)); mysql_query($newsSql); } This should get you around it: $sid = mysql_real_escape_string($item) $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='$sid'", $rs = mysql_query($newsSql); ... On Thu, Nov 19, 2009 at 4:33 PM, James Coffman <webmas...@cadc.com> wrote: > I have narrowed the problem down to the code as I have been referenced to a million times and I thank you all a million times over on helping me out thus far. Here is where it gets down to the hard part for me (PHP code).. > > The error is within: > > elseif ($pageID == "ss" && $item != "mostCurrent") { > $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item"; > } > > > So I have done some research and found that it needs to be structured somewhat as such: > > elseif ($pageID == "ss" && $item != "mostCurrent") { > $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s'", > mysql_real_escape_string($item)); > mysql_query($newsSql); > } > > I cannot seem to get the problem narrowed down with this though. As you see I am trying to impliment the "mysql_real_escape_string" but I am unfamiliar with how to integrate it into code that I did not write. Is there anyone out there that may have some insight to this problem? > > -----Original Message----- > From: Wm Mussatto [mailto:mussa...@csz.com] > Sent: Wednesday, November 18, 2009 11:55 AM > To: mysql@lists.mysql.com > Subject: Re: MySQL being hacked with commands through URL > > On Thu, November 19, 2009 09:47, James Coffman wrote: >> Hello all, >> >> My website has been hacked using a url such as: >> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f >> rom%20users-- . >> >> I have been searching on the web for a solution/fix to this issue and I >> cannot seem to find one. The command above is showing all usernames and >> passwords (in hashes) and I am not comfortable with that at all! Is there >> anyone out there that may be able to help or may be able to point me in >> the >> direction that I need to go in order to correct this issue? > Looks like a SQL injection attack. You should always filter any input > from the web to accept only those characters and conditions which are > reasonable for that list. > > In perl you should also either $dbh->quote($inputString) or use the '?' > place holder mechanism. > For example if I'm expecting a page number (or other whole number) from > form variable PAGEID I do something like this. > > ($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept > 0-9s as input. Hope this helps. > > > How do you have your database server setup? How are the commands being > passed to the database? > > > SOURCE IP FROM HEADER: > ************************************************ > *Please block this account's access to the * > *internet until its cleaned up. We are basing * > *this on an analysis of the header NOT the FROM* > *address. * > ************************************************ > ------ > William R. Mussatto > Systems Engineer > http://www.csz.com > 909-920-9154 > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com > > -- - michael dykman - mdyk...@gmail.com "May you live every day of your life." Jonathan Swift Larry's First Law of Language Redesign: Everyone wants the colon. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
